Diicot shares its new name with the Romanian anti-terrorist police unit and uses the same style of messaging and imagery.
Diicot Threat Agent
Diicot, previously known as Mexals, is a relatively new threat group that possesses extensive technical knowledge and has a broad range of objectives. Diicot shares its new name with the Romanian anti-terrorism policing unit and uses the same style of messaging and imagery.
Cado Labs’ researchers have found evidence of Diicot deploying an off-the-shelf Mirai-based botnet agent named Cayosin. The agent specifically targets routers running the Linux-based embedded devices operating system OpenWRT.
The researchers do note that analyzing Diicot’s campaign was a laborious task because of the convoluted execution chain and basic obfuscation techniques used by the hacking gang. However, their payloads often exhibit noisy behavior, making them detectable with proper network monitoring.
Cado Labs recommends basic SSH hardening measures, such as mandating key-based authentication for SSH instances. Organizations should also implement firewall rules to restrict SSH access to specific IP addresses, which can significantly bolster security defenses against this malware family.
In general, Diicot team campaigns have a long execution chain in which payloads and results share an interdependent relationship. Shc executables act as loaders that prepare the system for mining via a custom XMRig build.
Initial access is achieved with a custom, 64-bit Golang-based SSH brute-forcing tool called “aliases”. Gets a list of IP addresses and credential pairs to target for attack. If “aliases” encounters an OpenWrt router, then a Mirai-like spreader script named “bins.sh” is launched to obtain the Cayosin botnet agent binaries (multiple 32-bit ELF binaries).
The first eight characters of the result are used as the password. Diicor registers the SSH key after the miner runs to maintain access to the system and creates a simple script to restart the miner if it stops running. Users must implement SSH hardening, such as key-based authentication for SSH instances and firewall rules, to restrict their IP access.