A recently discovered SaaS Brute Force tool is active and installing XMR-rig on Linux machines. The Malware name “Diicot Brute” was observed being distributed on cracked[.], issuing an API key to each customer to access the service. It offers updates on the start and finish of execution and successful exploitation via Discord API. Interestingly on successful exploitation, the tool is redirected to a github repository to download its payload. Researchers at Bitdefender have noted the code used in the xmr-rig payload utilizing a mixture of Romanian and English, leading them to believe the group originates from Romania. This group has been active since November 2020, and while limiting its scope to crypto mining its toolset does allow for other malicious activity.
Analyst Notes
Crypto-Jacking” campaigns are a serious issue exposing infrastructure to resource depletion and exploitation. Not only do they provide a revenue source for Threat Groups but gone undetected, these targets remain at risk of further compromise. Malware and Ransomware as a service have gained some attention recently. They are gaining popularity among the threat actor community, emboldening crime groups who did not have access to these tools before. There are tell-tale signs of SSH brute forcing enterprise can monitor for and alert on. Multiple sustained attempts to log in to specific machines being the loudest and easiest to detect. A few adjustments to a machine’s sshd_config, such as limiting attempts and time for logins help. Crypto mining is notorious for siphoning resources and running out of norm processes and services that allow for detection.
https://thehackernews.com/2021/07/researchers-warn-of-linux-cryptojacking.html?m=1
https://www.bitdefender.com/blog/labs/how-we-tracked-a-threat-group-running-an-active-cryptojacking-campaign
