Full Report
On 2023-06-15, a campaign was reported, involving Diicot, gaining initial access via Password attack, while using SSH bruteforcing, UPX packing, Cron persistence, to achieve Resource hijacking. The following tools were observed: XMRig, zmap.
Analysis Summary
# Tool/Technique: Diicot Campaign
## Overview
A reported campaign active around June 15, 2023, attributed to the threat actor group Diicot. This campaign primarily focused on gaining initial access to systems via exposed SSH services using password attacks, leading to the objective of resource hijacking, mostly achieved through cryptocurrency mining.
## Technical Details
- Type: Campaign / Threat Actor Activity
- Platform: Likely Linux/Unix systems (implied by SSH and Cron usage)
- Capabilities: Initial access via brute-forcing, persistence establishment, resource hijacking (cryptojacking).
- First Seen: 2023-06-15
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1110.001 - Brute Force: Password Guessing
- TA0003 - Persistence
- T1543.003 - Create or Modify System Process: Scheduled Task/Job (Cron)
- TA0011 - Command and Control
- T1071 - Application Layer Protocol (Implied for tool communication like XMRig)
- TA0008 - Lateral Movement (Implied if tools like zmap are used for scanning)
- TA0009 - Collection (Implied for resource monitoring if part of cryptojacking payload)
- TA0010 - Impact
- T1496 - Resource Hijacking
## Functionality
### Core Capabilities
- **Initial Access:** Utilizing SSH bruteforcing against exposed services.
- **Persistence:** Establishing persistence via Cron jobs (`Cron persistence`).
- **Execution & Defense Evasion:** Using UPX packing to obscure the malware binaries.
### Advanced Features
- **Resource Hijacking:** Deployment of crypto-mining software (XMRig) to leverage victim resources for financial gain.
## Indicators of Compromise
- File Hashes: N/A (Not specified in the context)
- File Names: N/A (Not specified for the primary malware, though XMRig and zmap are tools used)
- Registry Keys: N/A (Likely Linux-based persistence)
- Network Indicators: N/A (C2 information for Diicot malware or mining pools not specified)
- Behavioral Indicators: SSH login failures indicative of systematic password guessing, presence of `XMRig` binary, creation of new entries in system crontabs.
## Associated Threat Actors
- Diicot (Emerging Romanian threat actor group, based on context)
## Detection Methods
- **Signature-based detection:** Signatures for the specific configuration of XMRig or the packed malware.
- **Behavioral detection:** Monitoring for successful SSH logins after high volumes of failed attempts, frequent modification of crontab files, and high CPU/resource utilization associated with crypto-mining processes.
- **YARA rules if available:** N/A
## Mitigation Strategies
- **Prevention measures:** Enforce strong, unique passwords for all SSH accounts; implement Multi-Factor Authentication (MFA) where possible; restrict SSH access via firewall rules to known IP ranges.
- **Hardening recommendations:** Disable root logins over SSH; use SSH key authentication exclusively; implement rate-limiting for failed login attempts (e.g., using Fail2Ban) to counteract SSH bruteforcing.
## Related Tools/Techniques
- **XMRig:** A popular open-source Monero (XMR) mining software often repurposed by threat actors for cryptojacking.
- **zmap:** A fast network scanner used for broad reconnaissance of exposed services on the internet (potential for initial staging or discovery).
- **UPX:** Commonly used executable packer for legitimate and malicious software to obfuscate binaries.
***
# Tool/Technique: XMRig
## Overview
XMRig is a high-performance, open-source CPU-based miner designed for Monero (XMR) cryptocurrency mining. In this context, it was utilized by the Diicot actor group to perform cryptojacking after gaining system access, leading to resource hijacking.
## Technical Details
- Type: Tool (Cryptocurrency Miner)
- Platform: Multi-platform (Observed likely on Linux/Unix based on context)
- Capabilities: Mining Monero, high CPU utilization, silent operation when configured correctly.
- First Seen: N/A (Tool has existed since before the campaign)
## MITRE ATT&CK Mapping
- TA0009 - Collection (Resource Consumption aspect)
- T1005 - Data from Local System (Indirectly, by using resources)
- TA0010 - Impact
- T1496 - Resource Hijacking
## Functionality
### Core Capabilities
- Performing Proof-of-Work calculations necessary to mine Monero.
- Configurable parameters for CPU core affinity and power limits.
### Advanced Features
- Highly optimized CPU algorithms for various hardware architectures, maximizing hash rate utilization.
## Indicators of Compromise
- File Hashes: N/A
- File Names: `xmrig.exe`, or variations thereof depending on system architecture and actor renaming.
- Registry Keys: N/A
- Network Indicators: Connections to known Monero mining pools (specific pool addresses are not provided).
- Behavioral Indicators: Sustained, high CPU load across multiple cores, particularly during off-peak hours.
## Associated Threat Actors
- Various cryptojacking campaigns, including Kinsing, 8220 Cryptomining Group, and Diicot in this instance.
## Detection Methods
- **Signature-based detection:** Signatures for known XMRig binary hashes.
- **Behavioral detection:** Monitoring for processes exhibiting sustained, high utilization of CPU resources not attributable to legitimate system functions. Network traffic patterns consistent with mining pool communications.
- **YARA rules if available:** YARA rules targeting known XMRig strings or configuration patterns within executable files.
## Mitigation Strategies
- **Prevention measures:** Restrict outbound connections from servers to known mining pool addresses on relevant ports (e.g., 3333, 5555, 7777).
- **Hardening recommendations:** Implement strict process control to only allow expected binaries to execute; use resource monitoring tools to alert on unusual sustained CPU consumption.
## Related Tools/Techniques
- Other miners: Claymore, T-Rex, Ghost Miner.
- Persistence methods: Cron jobs (as used in the Diicot campaign).
***
# Tool/Technique: zmap
## Overview
Zmap is a fast, single-packet network scanner designed to scan the entire IPv4 address space in under one hour on a single machine. In this context, it was reported as an "Observed Tool," suggesting it may have been used by Diicot for reconnaissance to locate additional exposed SSH ports or other vulnerable services post-initial compromise.
## Technical Details
- Type: Tool (Network Scanner/Reconnaissance)
- Platform: Linux/Unix (Primary usage environment)
- Capabilities: Rapidly scanning IP addresses to determine which hosts are listening on specific ports.
- First Seen: N/A (Tool has existed since before the campaign)
## MITRE ATT&CK Mapping
- TA0013 - Reconnaissance
- T1595.001 - Netscans
## Functionality
### Core Capabilities
- Rapid port scanning across large IP ranges.
- Ability to run concurrently with other running processes (often stealthy compared to traditional full TCP connect scans).
### Advanced Features
- Uses advanced capture/send techniques to achieve high throughput speeds.
## Indicators of Compromise
- File Hashes: N/A
- File Names: `zmap`
- Registry Keys: N/A
- Network Indicators: High volume outbound TCP SYN packets targeting specific ports (like TCP/22 for SSH) directed towards external IP ranges.
- Behavioral Indicators: Generation of network packets consistent with a fast, stateless scan.
## Associated Threat Actors
- Various penetration testers and threat actors who utilize broad network reconnaissance (e.g., Kinsing, and general infrastructure discovery tools).
## Detection Methods
- **Signature-based detection:** Signatures for the `zmap` binary.
- **Behavioral detection:** Monitoring network egress traffic for patterns matching high-speed, stateless port sweeping.
- **YARA rules if available:** N/A
## Mitigation Strategies
- **Prevention measures:** Implement strong ingress filtering at the network perimeter to prevent scanning traffic from unauthorized source addresses, though this is often ineffective against scans originating from compromised internal systems.
- **Hardening recommendations:** Network monitoring tools (IDS/IPS) should be tuned to detect high-frequency SYN scan patterns, regardless of the tool used.
## Related Tools/Techniques
- Masscan, Nmap (when utilized for broad scans).
- T1110.001 (SSH Bruteforcing) often follows successful discovery via tools like zmap.