A recently discovered SaaS Brute Force tool is active and installing XMR-rig on Linux machines. The Malware name “Diicot Brute” was observed being distributed on cracked[.], issuing an API key to each customer to access the service. It offers updates on the start and finish of execution and successful exploitation via Discord API. Interestingly on successful exploitation, the tool is redirected to a github repository to download its payload. Researchers at Bitdefender have noted the code used in the xmr-rig payload utilizing a mixture of Romanian and English, leading them to believe the group originates from Romania. This group has been active since November 2020, and while limiting its scope to crypto mining its toolset does allow for other malicious activity.
Note: this post was originally shared on https://squiblydoo.blog/ by a member of the Binary Defense Team. In