New Diicot group targets SSH servers with brute-force malware

Home/BOTNET, Exploitation, Internet Security, IOC's, malicious cyber actors, Malicious extension, Malware, Security Advisory, Security Update/New Diicot group targets SSH servers with brute-force malware

New Diicot group targets SSH servers with brute-force malware

Diicot shares its new name with the Romanian anti-terrorist police unit and uses the same style of messaging and imagery.

Diicot Threat Agent

Diicot, previously known as Mexals, is a relatively new threat group that possesses extensive technical knowledge and has a broad range of objectives. Diicot shares its new name with the Romanian anti-terrorism policing unit and uses the same style of messaging and imagery.

Cado Labs’ researchers have found evidence of Diicot deploying an off-the-shelf Mirai-based botnet agent named Cayosin. The agent specifically targets routers running the Linux-based embedded devices operating system OpenWRT.

The researchers do note that analyzing Diicot’s campaign was a laborious task because of the convoluted execution chain and basic obfuscation techniques used by the hacking gang. However, their payloads often exhibit noisy behavior, making them detectable with proper network monitoring.

Cado Labs recommends basic SSH hardening measures, such as mandating key-based authentication for SSH instances. Organizations should also implement firewall rules to restrict SSH access to specific IP addresses, which can significantly bolster security defenses against this malware family.

Analysis

In general, Diicot team campaigns have a long execution chain in which payloads and results share an interdependent relationship. Shc executables act as loaders that prepare the system for mining via a custom XMRig build.

Initial access is achieved with a custom, 64-bit Golang-based SSH brute-forcing tool called “aliases”. Gets a list of IP addresses and credential pairs to target for attack. If “aliases” encounters an OpenWrt router, then a Mirai-like spreader script named “bins.sh” is launched to obtain the Cayosin botnet agent binaries (multiple 32-bit ELF binaries).

The first eight characters of the result are used as the password. Diicor registers the SSH key after the miner runs to maintain access to the system and creates a simple script to restart the miner if it stops running. Users must implement SSH hardening, such as key-based authentication for SSH instances and firewall rules, to restrict their IP access.

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

Post Views: 257
By | 2023-06-19T08:25:24+05:30 June 16th, 2023|BOTNET, Exploitation, Internet Security, IOC's, malicious cyber actors, Malicious extension, Malware, Security Advisory, Security Update|

About the Author:

FirstHackersNews- Identifies Security

Related Posts

Leave A Comment

Subscribe to our newsletter to receive security tips everday!