Full Report
Wiz Threat Research uncovered a new malware campaign targeting Linux environments attributed to the Diicot threat group.
Analysis Summary
# Threat Actor: DIICOT / Mexals
## Attribution & Identity
Attributed to a Romanian-speaking threat group. Also known as **Mexals**. Previous reports by Cado Security, Akamai, and Bitdefender have tracked this actor. The attribution is based on the presence of Romanian words (e.g., *afișează*, *așteaptă*, *brute-retea*) in code and file paths.
## Activity Summary
The group is conducting a widespread, evolving malware campaign primarily targeting **Linux systems** running OpenSSH. The objective appears to be cryptomining activity, though newer versions show cloud-aware logic prioritizing propagation over mining on cloud hosts. Recent activity involves updated malware showcasing increased sophistication, active learning from prior threat intelligence, and continuous refinement of evasion techniques. The campaign utilizes an initial infection vector exploiting weak SSH credentials.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploiting weak OpenSSH credentials.
- **Execution/Defense Evasion:** Use of heavily modified **UPX packers** with corrupted checksums to hinder standard unpacking tools. Shift from `shc` binaries to **Go-based tools**.
- **Persistence/Command and Control:** Utilizes an 'Update' payload as a central component with expanded capabilities for spreading and persistency. Observed a shift from Discord-based C2 to **HTTP-based C2**. Reverse shell capabilities (`client.go`) provide direct remote access.
- **Lateral Movement:** **Self-propagating tools** observed, specifically an OpenSSH scanner (`.bisis`) used for banner grabbing and host identification, followed by spreading campaigns.
- **T1059.006 (Command and Scripting Interpreter: Unix Shell):** Use of Bash scripts (`.c`, `.b`, `History`).
- **T1027 (Obfuscated Files or Information):** Custom UPX packing observed.
## Targeting
- **Sectors:** Various sectors utilizing cloud environments (derived from widespread findings across customer base).
- **Geography:** Associated with Romanian operators; targeting likely global based on cloud presence.
- **Victims:** Linux-based machines running potentially weakly secured OpenSSH services, including systems hosted on major cloud providers (Azure, Amazon, Linode, Oracle Cloud).
## Tools & Infrastructure
- **Malware Families Used:** Custom Linux malware, cryptomining malware (**XMRig** observed in historical context), **Go-based tools** for primary payloads (`brute-spreader.go`, `client.go`).
- **Infrastructure (C2, domains, IPs):**
- **Domains:** `digital.digitaldatainsights[.]org`, `test.digitaldatainsights[.]org`, `pauza.digitaldatainsights[.]org`, `web.digitaldatainsights[.]org`.
- **IPs:** `80.76.51[.]5`, `87.120.116[.]35`, `185.112.249[.]20`, `87.120.114[.]219`, `91.92.250[.]6`.
- **Cryptomining:** Usage of **Zephyr protocol** in addition to Monero, utilizing pools like `87.120.116[.]35:7777` and `pool.supportxmr[.]com:443`.
- **Specific Payloads:** **/var/tmp/.update-logs/Update** (Primary payload, `brute-spreader.go`), **/var/tmp/cache** (Reverse shell, `client.go`), **/.bisis** (Scanner).
## Implications
DIICOT/Mexals is an adaptive threat actor that actively analyzes public threat intelligence regarding its operations and rapidly incorporates changes to bypass detection. Their focus on cloud environments, demonstrated by cloud-aware payloads that prioritize lateral movement over immediate resource exhaustion (cryptomining), indicates a high threat level for organizations relying on default or poorly secured Linux hosts in IaaS/PaaS environments.
## Mitigations
- **SSH Security:** Enforce strong credential policies and disable password-based authentication in favor of secure key-based authentication for OpenSSH.
- **Runtime Visibility:** Implement advanced endpoint detection and response (EDR) or cloud workload protection platforms capable of detecting suspicious process execution, unusual file creation (e.g., binaries in `/var/tmp/`), and packer evasion techniques.
- **Cloud Environment Hardening:** Monitor system metadata or kernel versions for signatures indicating cloud instances and enforce stricter controls on hosts identified as cloud assets.
- **Network Segmentation:** Limit lateral movement potential by aggressively segmenting networks, thus restricting the effectiveness of SSH scanning and propagation tools.