22 July 2021, Kathmandu
A threat group that may be located in Romania and has been active since at least 2020 has been supporting a cryptographic hijacking campaign against Linux-based machines written in Golang using previously undocumented SSH brute force.
The password cracking tool called “Diicot brute” is reportedly distributed through a software-as-a-service model. Each threat participant provides its own unique API key to facilitate the intrusion. Bitdefender researchers have published a report Means in. Last week
The campaign aimed to implement Monero mining malware through brute force attacks on remotely hacked devices. Researchers linked the gang to at least two DDoS botnets, including a variant of Demonbot called Chernobyl and a Perl IRC zombies, in which the XMRig mining payload is hosted on the domain with the name mexalz us since February 2021.
The Romanian cybersecurity technology company stated that it had begun investigating the organization’s malicious online activities in May 2021, and subsequently discovered the organization’s infrastructure and attack kits. opponent.
The organization is also known for relying on a bag of obfuscation techniques that can keep them from being noticed. To this end, Bash scripts are compiled using the shell script compiler (shc), and it is discovered that the attack chain uses Discord to report information to the channels it controls. This technique is becoming more and more common among malicious actors. Command and control communication does not Escape to safety.
Its use of Discord as a data breach platform also eliminates the need for threat actors to host their own command and control servers, not to mention supporting the creation of communities focused on buying and selling source code and malware services.
According to researchers, “hackers with not strong SSH credentials are not very uncommon.” “The biggest security issue is the default username and password, or weak credentials that hackers can easily brute force. The tricky part is not necessarily to force the use of these credentials, but to operate in a way that prevents the attacker from being noticed.”
