Security researchers from Bitdefender have identified a new threat group targeting Linux machines which are configured with weak credentials for deploying their toolkit with cryptojacking and other hacking toolkits.
Researchers confirmed that the toolkit has tools such as masscan, zmap and custom written SSH bruteforcer (dubbbed “Diicot brute”) written in GO language. “This tool appears to be distributed on an as-a-service model, as it uses a centralized API server. Each threat actor supplies their API key in their scripts” stated in the blog post.
Additionally, the interface of bruteforcer tool seems to be with English and Romanian language which confirms that the author might be based out of Romania.
Researchers told that they had started investigating this group from May 2021 and surprisingly traced the malware easily at http://45%5B.%5D32%5B.%5D112%5B.%5D68/.sherifu/.93joshua with the open directory with other files. “The associated domain, mexalz.us, has hosted malware at least since February 2021.” reads the blog post.
Front page of the site http://45%5B.%5D32%5B.%5D112%5B.%5D68/
The attack starts with identifying weakly configured SSH credentials following which the loaders(93joshua) are deployed and executed for gathering system information that will be exfiltrated via HTTP POST requests to the Discord Webhook. By using this technique, the threat actors avoid the need to host their own C&C and the exfiltrated data can be viewed easily by the threat actors.
Researchers also observed various other loaders apart from 93joshua, like .purrple and .black at their disposal which are encrypted with shc.
The global webhooks of Discord are:
- https://discord[.]com/api/webhooks/796089316517347369/zRjSflkA7z9C4N9PaPWIJQFLMSKGk5iJNv9T_Z880jhLOpkQ3OEGsbdz4GsX80WwRY0g
- https://discord[.]com/api/webhooks/845977569446068234/ggGoh-5DEpMLtIi0OKNc8z3b3MgxjZaxovL0R0dBiMsP0hnMTIkNx_JoFTLKJtbyRSx
Cyberworkx News readers can checkout the IOC’s from this link.
Source: Bitdefender.
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1
CyberWorkx 