unpacking diicot-tikochinski2024

0001-01-01

Unpacking Diicot - Evolving Campaign Targeting Linux Environments

by Gili Tikochinski and Yaara Shriki

Wiz Threat Research 2024

https://www.wiz.io/blog/diicot-t

Notes
Wiz Threat Research
malware campaign
Linux malware
Diicot
Romania
cloud
Cado Security
Akamai
BitDefender
malware has been iterated upon/improved; threat actor is learning/evolving
Mexals
self-propagation
custom UPX packer
internet scanning
cryptocurrency mining
XMRig
packer
staged payload
malware updates
detection evasion
persistence
corrupted UPX checksums break standard unpacking tools
malware detecting cloud environment by observing Linux distro/version
threat intelligence
Discord-based C2
HTTP C2
cryptocurrency wallet
mining pool
Zephyr protocol
Monero
Golang-based malware
custom UPX packer
cloud-aware payload
Romanian attribution due to Romanian language used within samples
OpenSSH
weak credentials
YARA
Azure
var/tmp.update-logs/Update
brute-spreader.go
hidden directory
Azure Linux
Amazon Linux
Linode
Oracle Cloud
/var/tmp/cache, client.go
var/tmp.update-logs/.bisis
banner grabbing
IP list
hardcoded URLs
port 22
VirusTotal
“first seen” on VirusTotal
abc123, payload.go
obfuscation
magic header – modified UPX changed ‘UPX!" header to YTS\x99
upx_dec
reverse shell
command and control
remote command execution
cron persistence - @reboot, @daily, @monthly
disown command
reverse SSH
bash script
brute force
base64
User-Agent curl/7.68.0
malware obtains CPU count, hostname, architecture, kernel version
malware obtains host’s IP addresses, username, password, and SSH ports
malware determines GPU availability
bisis binary - SSH scanning and brute force tool
GreyNoise
raspberry pi
mongodb
sonar/sonar123
git/git
awsgui/awsgui
wang/wang123
hive/hive
nginx/nginx
tracking crypto wallets and pools
Validin
passive DNS
IoC

Links
https://www.cadosecurity.com/blog/tracking-diicot-an-emerging-romanian-threat-actor
https://www.akamai.com/blog/security-research/mexals-cryptojacking-malware-resurgence
https://www.bitdefender.com/en-us/blog/labs/how-we-tracked-a-threat-group-running-an-active-cryptojacking-campaign
https://github.com/lcashdol/UPX

IoCs
pauza.digitaldatainsights[.]org
87.120.114[.]219
digital.digitaldatainsights[.]org/.x/black3
87.120.116[.]35
http[:]//80.76.51[.]5/.NzJjOTY
digital.digitaldatainsights[.]org
91.92.250[.]6

Links to this note

Notes

unpacking diicot-tikochinski2024

0001-01-01

Links to this note

Recent Posts

Linux Hardening: SSH

2025-03-06 DFIR SSH hardening linux hardening SSH PAM

Linux Anti-Forensics: Timestomping

2025-03-05 DFIR linux anti-forensics

Finding Bad with Linux Package Managers

2025-03-03 DFIR linux persistence

Linux Persistence: Startup Scripts

2024-11-10 DFIR CTF linux persistence systemd SysV init startup script

Linux Persistence: Cron

2024-11-10 DFIR CTF linux persistence cron