Linux-Focused Cryptojacking Gang Tracked to Romania


Level 75
Content Creator
Malware Hunter
Aug 17, 2014
A cryptojacking gang that’s likely based in Romania is using a never-before-seen SSH brute-forcer dubbed “Diicot brute” to crack passwords on Linux-based machines with weak passwords.

The point of the campaign is mainly to deploy Monero mining malware, Bitdefender researchers said in a report published on Wednesday, though the gang’s kit could let them attempt other types of attacks. Researchers said that they’ve connected the group to at least two distributed-denial-of-service (DDoS) botnets: a variant of the Linux-based DDoS DemonBot botnet called “chernobyl” and a Perl IRC bot.

Why cryptojacking? Because it’s a sweet short-cut to get to the loot. “As you all know, mining for cryptocurrency is slow and tedious, but it can go faster when using multiple systems,” according to the report. “Owning multiple systems for mining is not cheap, so attackers try the next best thing: To remotely compromise devices and use them for mining instead.”