A new report from cloud forensics and incident response platform startup Cado Security Ltd. has detailed and warned that an emerging Romanian threat actor named Diicot, formerly known as Mexals, is running a new campaign involving previously unreported brute-forcing malware payloads.

Diicot, previously known for conducting cryptojacking campaigns and offering malware-as-a-service, has been active since at least 2020. Notably, artifacts from their campaigns reveal a connection to Romanian organized crime and an anti-terrorism policing unit also named Diicot.

Cado Labs’ researchers have found evidence of Diicot deploying an off-the-shelf Mirai-based botnet agent named Cayosin. The agent specifically targets routers running the Linux-based embedded devices operating system OpenWRT. The deployment of Cayosin is said to indicate Diicot’s versatility, since they’re willing to engage in various types of attacks beyond cryptojacking.

The report takes an interesting twist, as the researchers found that one of Diicot’s servers includes a Romanian-language doxing video featuring a feud between the group and other online personas. The find is said to suggest that Diicot is actively involved in exposing personal details, including photographs, home addresses and full names of individuals, in addition to their other malicious activities.

Diicot’s latest campaign reveals a concerning escalation in their activities. Through the discovery of previously unreported brute-forcing malware payloads, Diicot has demonstrated its intention to target SSH servers with password authentication enabled. The ongoing campaign involves a limited list of username/password pairs, including default and easily guessed credentials.

The researchers do note that analyzing Diicot’s campaign was a laborious task because of the convoluted execution chain and basic obfuscation techniques used by the hacking gang. However, their payloads often exhibit noisy behavior, making them detectable with proper network monitoring.

Given the serious nature of Diicot’s activities, the report notes that it’s crucial for organizations to implement effective countermeasures.

Cado Labs recommends basic SSH hardening measures, such as mandating key-based authentication for SSH instances. Organizations should also implement firewall rules to restrict SSH access to specific IP addresses, which can significantly bolster security defenses against this malware family.

Image: Bing Image Creator