Diicot expands tactics with Cayosin botnet: from cryptojacking to DDoS attack.

Undocumented payloads linked to Romanian threat actor Diicot unveil DDoS attack potential, as revealed by cybersecurity researchers, Cado Security’s technical report highlights the connection between the Diicot threat actor and the Romanian law enforcement unit of the same name, evidenced by campaign artifacts referencing the organization.

Bitdefender initially discovered Diicot, previously known as Mexals, in July 2021. They employed a Go-based SSH brute-forcer tool called Diicot Brute for breaching Linux hosts during a cryptojacking campaign.

In April of this year, Akamai reported a “resurgence” of the 2021 activity, which began around October 2022 and generated approximately $10,000 in illegal profits for the threat actor, Regenerate response, said

Diicot deploys a range of payloads, including a Monero cryptominer, using various techniques such as an SSH worm module, improved payload obfuscation, and a LAN spreader module, according to Akamai researcher Stiv Kupchik. Furthermore, Cado Security’s recent analysis reveals that Diicot utilizes the Cayosin botnet, similar to Qbot and Mirai, to enhance its operations, report said.

Diicot’s expansion into deploying the Cayosin botnet signifies their newfound capability to launch DDoS attacks. Additionally, the threat actor engages in activities such as doxxing rival hacking groups and relies on Discord for command-and-control and data exfiltration.

Diicot targets routers running OpenWrt with the Cayosin agent, indicating their versatility in conducting different types of attacks. Their compromise chains consistently involve using a custom SSH brute-forcing utility to gain access and deploy additional malware like Mirai variants and crypto miners.

Here are some of the tools employed by the Diicot threat actor:

1. Diicot Brute: A Go-based SSH brute-forcing tool used for breaching Linux hosts.
2. Cayosin Botnet: An off-the-shelf botnet with similarities to Qbot and Mirai, utilized by Diicot for various activities.
3. Mirai Variant: A variant of the Mirai malware, employed by Diicot for additional malicious purposes.
4. Crypto Miner: A payload dropped by Diicot to mine the cryptocurrency Monero.
5. Custom SSH Brute-Forcing Utility: A specialized tool utilized by Diicot to gain unauthorized access to targeted systems.

Diicot’s attack methodology involves profiling infected hosts and deploying either a cryptominer or using them as spreaders based on CPU core count. To mitigate these attacks, organizations are advised to implement SSH hardening and firewall rules, restricting SSH access to specific IP addresses.

Cado Security warns that this campaign specifically targets internet-exposed SSH servers with password authentication enabled. The threat actor relies on a relatively limited list of usernames and passwords, including default and easily guessable credential pairs., for more