Threat Research

Tracking Diicot: an emerging Romanian threat actor

Securonix

Diicot is an emerging Romanian threat actor expanding beyond cryptojacking to include self-propagating SSH brute-forcers, MaaS-style tooling, and a Mirai-based botnet for DDoS, with C2 reporting via Discord and a custom API. The operation uses obfuscation (shc, modified UPX), a lengthy loader chain, and persistence mechanisms, targeting internet-accessible SSH servers and OpenWrt routers while also doxxing rivals. #Diicot #Mexals

Keypoints

  • Diicot is an emerging threat actor (formerly Mexals) with cryptojacking, MaaS, and now self-propagation and DDoS capabilities.
  • Initial access is via a custom SSH brute-forcing tool named aliases, targeting internet-facing SSH servers and OpenWrt routers.
  • Payloads are obfuscated with a Shell Script Compiler (shc) and a modified UPX header to hinder analysis; UPX unpacking can be aided by tools like upx_dec.
  • C2 and campaign telemetry use four Discord webhooks and a custom API endpoint, with timestamps indicating a recent, active operation.
  • The execution chain deploys loaders, a XMRig-based miner, and a Mirai/Cayosin botnet for mining and potential DDoS, including persistence via SSH keys and a systemd service.
  • Discovery and propagation include extensive system checks (uptime, CPU, OpenWrt presence) and a brute-force/scan loop that can spawn multiple remote commands across targets.

MITRE Techniques

  • [T1110] Brute Force – SSH Brute Force – Initial access via a custom SSH brute-forcing tool, ingesting target IPs and credentials. Quote: “Initial access for the Diicot campaign is via a custom SSH brute-forcing tool, named aliases.”
  • [T1105] Ingress Tool Transfer – Downloading payloads and components from remote servers as part of the execution chain. Quote: “The sample of aliases we obtained was located at…”
  • [T1027] Obfuscated/Compressed Files and Information – Use of a modified UPX header and shc-built loaders to hinder analysis. Quote: “Shell Script Compiler (shc) executables are typically used as loaders and prepare the system for mining… and a header modified with the bytes 0x59545399.”
  • [T1071.001] Web Protocols – C2 reporting via Discord webhooks and a custom API endpoint. Quote: “Discord supports HTTP POST requests to a webhook URL, allowing exfiltrated data and campaign statistics to be viewed within a given channel.”
  • [T1496] Resource Hijacking – Cryptomining (XMRig) deployed on compromised hosts. Quote: “preparing the target system for mining via Diicot’s custom fork of XMRig…”
  • [T1098] SSH Authorized Keys – Attacker-controlled SSH key added to maintain access. Quote: “registers an attacker-controlled SSH key to maintain access to the system.”
  • [T1543.003] Create or Modify Systemd Service – Persistence via a systemd service (myservice.service) created and configured to run on boot. Quote: “The service is saved as /lib/systemd/system/myservice.service and is configured to execute on boot.”
  • [T1053.005] Cron – Scheduled tasks to relaunch components (e.g., miner) via cron. Quote: “
    • [T1082] System Information Discovery – Collecting uptime, CPU, architecture, and other host details to assess infection viability. Quote: “uptime | grep -ohe ‘up .*’ …”
    • [T1026] Network Service Scanning (Discovery) – Identifying vulnerable/open targets via internet scanning and OpenWrt checks. Quote: “Identification of vulnerable systems via internet scanning.”
    • [T1041] Exfiltration – Exfiltrating data via C2 channels (Discord/webhooks and API) including credentials and host info. Quote: “toDiscord, toFilter, toApi … send details of the compromised machines to separate Discord channels”

Indicators of Compromise

  • [Discord Webhook] – Discord webhooks used for C2 reporting. Example: hxxps://discord[.]com/api/webhooks/1100669270297419808/UQ2bkUBe9JgAhtEIPYqpqKG6YVRW1fqEkadAY3u6PPmcgEVcYaSRiS37JILi2Vk32or6, hxxps://discord[.]com/api/webhooks/1100666861424754708/pAzInuz8ekK5DmKyoKxmG4H8euCtLkBXZnS33EGnxdl0_hkL5OdRbInQqgdGiQ1U41WF
  • [Discord Webhook] – Additional Discord channels: hxxps://discord[.]com/api/webhooks/1100666766339866694/ex_yUegpCF4NXGkT3sGFp3oWFUkJWE7XarcgTHRcAwmJQtG4pALhcj6PjKUTthNz_0u_
  • [Discord Webhook] – hxxps://discord[.]com/api/webhooks/1100666664623812650/_t9NyLTT_Rbg_Vr14n6YCBkseXrz-RpSe94SFIw-1Pyrkns80tU9uWJL3yjc3eLXo0IU
  • [URL] – arhivehaceru[.]com
  • [Files (SHA-256)] – 437af650493492c8ef387140b5cb2660044764832d1444e5265a0cd3fe6e0c39 (Update); de6dff4d3de025b3ac4aff7c4fab0a9ac4410321f4dca59e29a44a4f715a9864 (aliases)
  • [IP Addresses] – 45[.]88[.]67[.]94; 84[.]54[.]50[.]198
  • [SSH Keys] – ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAoBjnno5GBoIuIYIhrJsQxF6OPHtAbOUIEFB+gdfb1tUTjs+f9zCMGkmNmH45fYVukw6IwmhTZ+AcD3eD “ElPatrono1337”
  • [Mining Pools] – 45[.]88[.]67[.]94:7777; 139[.]99[.]123[.]196:80
  • [Mining Pools] – pool[.]supportxmr[.]com:80
  • [Paths] – /var/tmp/Documents/.b4nd1d0; /var/tmp/Documents/.5p4rk3l5

Read more: https://www.cadosecurity.com/tracking-diicot-an-emerging-romanian-threat-actor/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint