Diicot Expands Tactics with Cayosin Botnet
Cybersecurity researchers have discovered a previously undocumented payload linked to a named Romanian threat actor DIOCTreveals its potential to launch distributed denial-of-service (DDoS) attacks.
“The name Diicot is very important, because it is also the name of Unit of the Romanian organized crime and counter-terrorism police,” Cado Security said in technical reports. “In addition, the artifacts from the group’s campaign contain messages and imagery related to this organization.”
Diicot (née Mexals) was first documented by Bitdefender in July 2021, exposing an actor’s use of a Go-based SSH brute-forcer tool called Diicot Brute to penetrate Linux hosts as part of a cryptojacking campaign.
Then earlier this April, Akamai revealed what it described as a “revival” of its 2021 activity which is believed to have started sometime in October 2022, netting the actor an estimated $10,000 in illegal profits.
“The attacker used a long payload chain before finally dropping the Monero cryptominer,” Akamai researcher Stiv Kupchik said at the time. “New capabilities include use of the Secure Shell Protocol (SSH) worm module, improved reporting, better payload obfuscation, and a new LAN spreader module.”
Recent analysis from Cado Security shows that the group also uses a ready-made botnet called Cayosinea malware family that shares characteristics with Qbot and Mirai.
This development is a sign that threat actors now have the ability to mount DDoS attacks. Other activities carried out by the group include doxxing rival hacking groups and their reliance on Discord for command-and-control and data exfiltration.
“The deployment of this agent is targeted at routers running the Linux-based embedded device operating system OpenWrt,” the cybersecurity firm said. “The use of Cayosin demonstrates Diicot’s willingness to carry out a variety of attacks (not just cryptojacking) depending on the type of target they face.”
Diicot’s chain of compromises remained largely consistent, leveraging custom SSH brute-forcing utilities to gain a foothold and take down additional malware such as the Mirai variant and crypto miners.
Some of the other tools used by actors are as follows –
- chrome – Zmap-based internet scanner that can write operation results to a text file (“bios.txt”).
- Renew – An executable that fetches and executes SSH and Chrome brute-forcer if not on the system.
- History – A shell script designed to run Updates
The SSH brute-forcer tool (aka aliases), for its part, parses Chrome’s text file output to break into each identified IP address, and if successful, establishes a remote connection to the IP address.
🔐 Mastering API Security: Understanding Your True Attack Surface
Find untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
This is then followed by running a series of commands to create a profile of the infected host and use it to deploy the cryptominer or have it act as a spreader if the machine’s CPU has less than four cores.
To mitigate such attacks, it is recommended that organizations implement SSH hardening rules and firewalls to limit SSH access to specific IP addresses.
“This campaign specifically targets Internet-exposed SSH servers with password authentication enabled,” said Cado Security. “The list of usernames/passwords they use is relatively limited and includes default and easy-to-guess credential pairs.”
