Linux-Focused Cryptojacking Gang Tracked to Romania

2021-07-14 16:45

A cryptojacking gang that's likely based in Romania is using a never-before-seen SSH brute-forcer dubbed "Diicot brute" to crack passwords on Linux-based machines with weak passwords.

Bitdefender's honeypot data shows that attacks matching the brute-force tool's signature started in January.

Malicious abuse of collaboration tools like Slack and Discord to evade security and deliver info-stealers, remote-access trojans and other malware has exploded: In April, Cisco's Talos cybersecurity team said in a report on collaboration app abuse that they found 20,000 virus results on just one Discord network search.

This is where the Romania link comes in, it explained: "Like most other tools in this kit, the brute-force tool has its interface in a mix of Romanian and English. This leads us to believe that its author is part of the same Romanian group."

Initial Access: connecting via SSH and executing the infection payload. The attackers used the tools "Ps" and "Masscan" for reconnaissance, analysts explained, while "99x / haiduc" and "Brute" are used for credential access and initial access.

"Most cybercriminals will take the easy path and [that] is to reuse as [many] existing tools and techniques as possible. It will really depend on whether the attacker cares about being discovered or not."

News URL

https://threatpost.com/linux-cryptojacking-gang-romania/167783/

#cryptojacking #linux #romania