Cado Security has revealed the discovery of brute-forcing malware payloads, which didn’t have any public reporting and were missing from common repositories, being used as part of a new campaign by Romanian hacking group, Diicot, formerly known as Mexals.
Artifacts from the group’s campaigns contain messaging and imagery related to the Romanian organized crime and anti-terrorism policing unit, a vital significance, given both groups are named Diicot. Combined with Romanian-language strings and log statements in the payloads, Cado researchers attribute the malware to Diicot.
Cado Labs discovered evidence of the group deploying an off-the-shelf Mirai-based botnet agent named Cayosin, targeted at routers running the Linux-based embedded devices operating system, OpenWRT. An investigation of one of Diicot’s servers led to the discovery of a Romanian-language doxxing video depicting a feud between the group and what appears to be other online personas.
This report will provide a brief overview of attributing the campaign to Diicot’s distinctive TTPs, along with the execution chain employed by the group in their latest campaign, before focusing on the newest version of their self-propagating SSH brute-forcer. Cado researchers identified four channels used for this campaign and confirmed that the campaign is recent and ongoing.
You can view the report here.
Like this:
Like Loading...
Related
This entry was posted on June 15, 2023 at 8:54 am and is filed under Commentary with tags Cado Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Romanian Hackers Resurge with DDoS Botnet, Doxxing, Cryptojacking in Attack Arsenal
Cado Security has revealed the discovery of brute-forcing malware payloads, which didn’t have any public reporting and were missing from common repositories, being used as part of a new campaign by Romanian hacking group, Diicot, formerly known as Mexals.
Artifacts from the group’s campaigns contain messaging and imagery related to the Romanian organized crime and anti-terrorism policing unit, a vital significance, given both groups are named Diicot. Combined with Romanian-language strings and log statements in the payloads, Cado researchers attribute the malware to Diicot.
Cado Labs discovered evidence of the group deploying an off-the-shelf Mirai-based botnet agent named Cayosin, targeted at routers running the Linux-based embedded devices operating system, OpenWRT. An investigation of one of Diicot’s servers led to the discovery of a Romanian-language doxxing video depicting a feud between the group and what appears to be other online personas.
This report will provide a brief overview of attributing the campaign to Diicot’s distinctive TTPs, along with the execution chain employed by the group in their latest campaign, before focusing on the newest version of their self-propagating SSH brute-forcer. Cado researchers identified four channels used for this campaign and confirmed that the campaign is recent and ongoing.
You can view the report here.
Share this:
Like this:
Related
This entry was posted on June 15, 2023 at 8:54 am and is filed under Commentary with tags Cado Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.