Diicot, a Romanian Cybercrime Gang, Constructs DDoS Botnet Utilizing Mirai Variant

A cybercriminal group operating under the name Diicot has caught the attention of researchers for its recent campaign involving mass SSH brute-force scanning and the deployment of a variant of the notorious Mirai IoT botnet. The group has also added a cryptocurrency mining payload to servers equipped with CPUs featuring more than four cores.

In an analysis conducted by Cado Security, researchers discovered evidence of Diicot utilizing an off-the-shelf Mirai-based botnet agent called Cayosin. The agent specifically targeted routers running OpenWrt, a Linux-based embedded devices operating system. This marks a departure from Diicot’s previous focus on cryptojacking campaigns, where they hijacked computing power for mining cryptocurrencies.

Diicot, also known as Mexals, has been active since at least 2021, with researchers tracing strong indications of its base of operations to Romania. The group’s name mimics the acronym of the Directorate for Investigating Organized Crime and Terrorism (DIICOT), a Romanian law enforcement agency tasked with combating organized crime, including cybercrime.

Previous campaigns by Diicot primarily involved targeting Linux servers with weak SSH credentials using customized and centralized mass scanning and brute-force scripts. Upon compromising a server, the group deployed a modified version of the open-source XMRig software to mine Monero, a popular cryptocurrency.

However, Diicot’s attack toolkit has evolved in recent times. Earlier this year, researchers from Akamai observed the group’s name change and the introduction of new tactics, including an SSH worm written in Golang and the utilization of a Mirai variant named Cayosin. Mirai initially emerged in 2016 as a self-propagating botnet, causing massive distributed denial-of-service (DDoS) attacks on embedded networking devices. The release of its source code online allowed cybercriminals to develop numerous improved variants based on the original.

The ongoing attack campaign analyzed by Cado Security follows similar patterns as previous Diicot campaigns, as documented by Bitdefender and Akamai. The campaign, which commenced in April 2023, involves the creation of a Discord server for command-and-control purposes.

The attack begins with the use of an SSH brute-forcing tool written in Golang, known as aliases. This tool attempts to brute-force authentication by employing a list of target IP addresses and username/password combinations. If the compromised system operates on OpenWrt, Diicot deploys a script named bins.sh, responsible for identifying the device’s CPU architecture and deploying a Cayosin binary compiled specifically for that architecture.

For systems not running OpenWrt, the aliases tool deploys various Linux binary payloads created using the shell script compiler (SHC) tool, packed with UPX. These payloads serve as malware loaders, preparing the system for the subsequent deployment of an XMRig variant.

Of note, one of the SHC payloads, named “payload,” executes a bash script that checks if the system possesses at least four CPU cores before deploying XMRig. The script also alters the password of the user executing it. If the user is root, a hardcoded password is set, while for non-root users, the password is dynamically generated based on the current date.

In addition, the payload tool deploys another SHC executable named “.diicot,” which adds an attacker-controlled SSH key to ensure future access and ensures that the SSH service is running and registered as a service. The tool proceeds to download a custom XMRig variant, saving it as “Opera” along with its configuration file. Furthermore, a cron script is created to monitor and relaunch the Opera process if it is not running.

The payload tool also downloads an SHC executable named “update,” which deploys the aliases’ brute-force tool and a copy of the Zmap network scanner named “chrome.” The update executable additionally deploys a shell script called “history,” which executes the Update tool and creates a cron script to ensure the history and chrome executables are consistently active.

It is worth noting that Diicot has demonstrated a willingness to conduct a variety of attacks beyond cryptojacking, as evidenced by their deployment of Cayosin. This indicates that the group is investing effort into its DDoS capabilities, as Cayosin’s primary objective, according to previous reports, is facilitating DDoS attacks.

Organizations are advised to implement basic SSH hardening measures to protect their servers. This includes utilizing key-based authentication instead of passwords and employing firewall rules to restrict SSH access to trusted IP addresses. Detecting Diicot’s scanning activities should be relatively straightforward at the network level due to their high visibility and noise, according to the researchers.

In a digital landscape marred by cybercriminal activities, it is imperative for individuals and organizations to stay vigilant, regularly update security measures, and adopt best practices to mitigate the risks posed by evolving threats like Diicot and their sophisticated attack campaigns.