Unpacking the Diicot Malware Targeting Linux Environments
Essential information
- Published
- 17/12/2024 21:59
- Modified
- 18/12/2024 12:11
- Tags
- 2024-12-17 brute-force cryptomining linux malware openssh persistence reverse shell upx xmrig
- Related entities
- 36 observables, 1 intrusion sets (apt), 5 techniques (mitre), 1 malware, 1 others
Description
A new malware campaign attributed to the Romanian-speaking Diicot threat group has been discovered targeting Linux systems. The campaign shows significant advancements compared to previous iterations, including modified UPX headers with corrupted checksums, advanced payload staging, and environment-specific behavior. The malware targets Linux machines running OpenSSH, exploiting weak credentials for access. It employs various techniques such as file obfuscation, reverse shell capabilities, persistence mechanisms, and command and control communication. The campaign also includes SSH brute force functionality and potential cryptojacking capabilities. The attackers have earned over $16,000 from Monero mining alone.