In a realm where cybersecurity is paramount, threat actors continually up their game. Among them, the Romanian entity known as Diicot recently introduced new threats, displaying a shift in its strategies to include distributed denial-of-service (DDoS) attacks.
Diicot’s dark evolution
Named after the Romanian organized crime and anti-terrorism policing unit, Diicot, formerly known as Mexals, has been active since its identification by Bitdefender in July 2021. Initially employing a Go-based SSH brute-forcer tool named Diicot Brute, it targeted Linux hosts, conducting cryptojacking campaigns.
In October 2022, Akamai noted an escalation in Diicot’s activity, revealing the group’s profit of approximately $10,000 from its exploits. Their tactics had become more sophisticated, with the deployment of a Monero cryptominer after several payloads, enhanced payload obfuscation, and a new LAN spreader module.
A dive into Diicot’s expanding tactics
The latest findings from Cado Security indicate a shift in strategy, with the threat actor now employing a botnet known as Cayosin, sharing traits with notorious malware families such as Qbot and Mirai. This change indicates the group’s capability to execute DDoS attacks. Other operations include doxxing rival hacking groups and using Discord for command-and-control and data exfiltration.
Diicot targets routers operating on the Linux-based embedded system, OpenWrt. Their willingness to apply a range of attack methods, beyond mere cryptojacking, depends on the nature of their targets.
Diicot’s primary mode of attack has been the custom SSH brute-forcing utility, which allows them to gain access and drop additional malware, including the Mirai variant and crypto miners.
Recommendations for mitigating Diicot’s threats
The best defense against such attacks includes implementing SSH hardening strategies and limiting SSH access via firewall rules. Cado Security emphasizes the importance of securing SSH servers exposed to the internet with password authentication, given the limited and easily guessed credentials used by Diicot.
The escalation in Diicot’s operations underlines the ever-evolving nature of cyber threats. As they expand their techniques, so too should the vigilance and preparation of those at risk. We’d love to hear your thoughts on this developing story. Please share your opinions and experiences in the comments section below.