Romanian Linux Cryptojacking Cybercriminals Spotted

Since at least 2020, an active threat organization based in Romania has been running a cryptojacking operation against Linux-based machines using the Golang-based SSH brute force, according to The Hacker News. The campaign’s objective is to infect Linux systems with Monero mining applications.

Bitdefender researchers explained last week that the cybercriminal gang uses a password cracking program called “Diicot brute” delivered via a software-as-a-service model, with each threat actor using its own unique API keys to facilitate intrusions.

The security researchers concluded that the cybercriminal gang is responsible for at least two DDoS botnets, such as Chernobyl and the Perl IRC bot. Both use the XMRig mining payload downloaded from a domain called mexalz.us since February 2021.

Romanian hackers utilize various ways to hide their cryptojacking operations 

The group is also known to rely on a bundle of hidden techniques to slip under the radar. To this purpose, the Bash script is produced with a shell script compiler (shc), and Discord has been used to report the data back to a channel that is under its control. To bypass security, hackers employ command and control communications.

Discord, as a data exfiltration platform, offers an unmistakable threat to hosting a Command and Control server. Another advantage is that it aids in the establishment of communities focused on the purchase and selling of malware source code as well as other services to cybercriminals.

Bitdefender stated it had started its investigation in May 2021 and since then, they were able to identify the adversary’s assault infrastructure and toolkit. They further emphasized that hackers often pursue weak SSH. Weak credentials that hackers can quickly brute force, or default passwords and usernames, are among the biggest security vulnerabilities. The hard part is not brute forcing these credentials but finding a way to allow attackers to conduct their operations undetected.