Scroll Top

Diicot Unleashes Cayosin Botnet: Evolving Threats from Cryptojacking to DDoS Attacks


In a recent revelation, cybersecurity researchers have unearthed new and undocumented payloads linked to the Romanian threat actor known as Diicot, highlighting their potential for launching devastating distributed denial-of-service (DDoS) attacks.

The significance of the Diicot name cannot be ignored, as it aligns with Romania’s organized crime and anti-terrorism policing unit, instilling a sense of intrigue. Messaging and imagery found within the group’s campaigns further reinforce this connection, adding a layer of complexity to their operations.

Initially brought to light by Bitdefender in July 2021, Diicot, formerly known as Mexals, employed a Go-based SSH brute-forcer tool called Diicot Brute, enabling them to breach Linux hosts as part of an elaborate cryptojacking campaign.

In April of this year, Akamai raised an alarm, revealing a “resurgence” of Diicot’s activities that began around October 2022, with estimated profits amounting to a staggering $10,000.

Akamai researcher Stiv Kupchik shed light on their modus operandi, stating that “the attackers employ an extensive chain of payloads before eventually deploying a Monero cryptominer.” This new wave of attacks showcased advanced tactics, including the use of a Secure Shell Protocol (SSH) worm module, enhanced reporting capabilities, improved payload obfuscation techniques, and the introduction of a novel LAN spreader module.

In a recent analysis by Cado Security, it has come to light that Diicot is now utilizing a readily available botnet called Cayosin, which shares notable characteristics with infamous malware families such as Qbot and Mirai.

This development serves as an indicator that the threat actor has expanded its capabilities to launch formidable DDoS attacks. Diicot’s activities encompass a broad spectrum, including the doxxing of rival hacking groups, with their reliance on Discord for command-and-control operations and data exfiltration.

Cado Security states, “The deployment of this agent specifically targeted routers running the Linux-based embedded devices operating system, OpenWrt. The utilization of Cayosin demonstrates Diicot’s versatility in executing various attacks, depending on the nature of their targets, extending beyond cryptojacking alone.”

The compromise chains employed by Diicot have displayed remarkable consistency, leveraging their custom SSH brute-forcing tool to gain initial access, followed by the deployment of additional malware variants such as Mirai and crypto miners.

Among the tools utilized by the actor, some noteworthy ones include:

  1. Chrome: An internet scanner leveraging Zmap, capable of storing operation results in a text file named “bios.txt.”
  2. Update: An executable responsible for fetching and executing the SSH brute-forcer and Chrome if they are absent from the system.
  3. History: A shell script designed to execute Update.

The SSH brute-forcing tool, also known as aliases, parses the text file generated by Chrome, allowing it to gain unauthorized entry into identified IP addresses. Successful infiltration leads to the establishment of a remote connection with the compromised IP address.

Subsequently, a series of commands are executed to profile the infected host, enabling the deployment of a cryptominer or utilizing it as a spreader if the machine’s CPU has fewer than four cores.

To counteract such malicious attacks, organizations are strongly advised to implement SSH hardening practices and enforce firewall rules that restrict SSH access to specific IP addresses.

Cado Security warns, “This campaign specifically targets SSH servers exposed to the internet with password authentication enabled. The username/password combinations employed by the threat actor are relatively limited, often consisting of default or easily guessable credentials.”

As the threat landscape continues to evolve, it is crucial for organizations to remain vigilant, fortify their security

defenses, and stay one step ahead of adversaries like Diicot, who continuously adapt their tactics to unleash havoc in the digital realm.

Related Posts

Leave a comment

You must be logged in to post a comment.
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.