Full Report
On 2023-04-12, a campaign was reported, involving Diicot, gaining initial access via Password attack, while using SSH bruteforcing, Cron persistence, UPX packing, to achieve Resource hijacking. The following tools were observed: XMRig.
Analysis Summary
# Tool/Technique: Diicot Campaign
## Overview
This entry summarizes a cryptojacking campaign attributed to the threat actor group Diicot, reported in April 2023. The campaign focused on achieving resource hijacking through cryptomining activities after gaining initial access via password attacks.
## Technical Details
- Type: Campaign / Malware Family (Associated with the observed activities)
- Platform: Not explicitly stated, but context suggests Linux/Unix environments due to SSH and Cron usage.
- Capabilities: Initial access, persistence establishment, resource hijacking (cryptomining).
- First Seen: 2023-04-12 (Date of report)
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1110 - Brute Force
- T1110.001 - Password Guessing: SSH
- TA0003 - Persistence
- T1543.003 - Create or Modify System Process: Cron Job
- TA0004 - Privilege Escalation (Implied by resource hijacking)
- TA0011 - Command and Control (Implied by tooling, though C2 not explicitly detailed)
- TA0005 - Defense Evasion
- T1484 - Obfuscated Files or Information (Implied by UPX packing)
- TA0109 - Impact
- T1496 - Resource Hijacking
## Functionality
### Core Capabilities
- **Initial Access:** Gained entry using password attacks, specifically leveraging SSH bruteforcing.
- **Persistence:** Established foothold via Cron persistence mechanisms.
- **Resource Hijacking:** The end goal was the hijacking of system resources, strongly implied to be for cryptocurrency mining based on the mentioned tool (XMRig).
### Advanced Features
- **Obfuscation:** Employed UPX packing, used to obfuscate the malware payload, aiding in bypassing basic signature detection.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: [Not provided in the context]
- Registry Keys: [Not applicable/Not provided]
- Network Indicators: [Not provided in the context]
- Behavioral Indicators: SSH login attempts (bruteforcing), creation of new Cron entries, execution of packed binaries, execution of XMRig.
## Associated Threat Actors
- Diicot
## Detection Methods
- **Signature-based detection:** Signatures for the UPX packed binaries and known XMRig instances.
- **Behavioral detection:** Monitoring failed and excessive SSH login attempts (SSH bruteforcing detection). Detection of new Cron job entries being added or modified. Monitoring CPU/resource utilization anomalies indicative of cryptomining.
- **YARA rules:** Could be developed for signatures associated with the Diicot malware components or specific UPX indicators.
## Mitigation Strategies
- **Prevention measures:** Implement strong, unique passwords for SSH access. Utilize SSH key-based authentication instead of passwords where possible.
- **Hardening recommendations:** Implement brute-force protection tools (e.g., Fail2ban) for SSH. Regularly audit system Cron jobs for unauthorized entries. Ensure systems are patched against vulnerabilities that could facilitate password attacks.
## Related Tools/Techniques
- XMRig (Observed Tool)
- UPX Packing (Defense Evasion Technique)
- SSH Bruteforcing (Initial Access Technique)