Crypto jacking on Linux systems

The strategy of the cybercriminal group behind this attack is to make the most of the device they are accessing. If the machine has enough computing power, the attacker deploys a miner called “diicot” that uses the machine’s CPU to mine cryptocurrencies. If the machine runs out of power, the attacker downloads a Tojan called “Update” and uses the device to collect information about other possible targets.

Crypto jacking on Linux systems
Mining cryptocurrency is not a new phenomenon, but it is a tactic that is clearly gaining popularity. According to research by Top10VPN, the number of cryptojacking incidents increased to an average of 15.02 million per month in 2022, up from 8.09 million per month in 2021. This represents an 86% increase in one year.
The group of cybercriminals discovered by TEHTRIS in mid-January employs two different strategies to maximize access to the compromised Linux system. In the first way, if the machine has enough capacity (more than four cores), the diicot cryptominer is installed to use the CPU for cryptomining. In the other way, if the machine does not have the required capacity to mine cryptocurrencies, the attacker downloads the Update executable and uses the system to collect information about possible other targets.

Discord
The attacker uses a Discord server to extract data from compromised machines. This is in line with a growing trend among cyber attackers to find vulnerabilities through popular messaging apps. By using an infected device to collect this kind of information, the attacker can spread the exploration phase across multiple machines and IP addresses, making it difficult to trace the original source of the attack.

Ties with Romania
The group of attackers refers to themselves as ThePatron1337, with 1337 being a recurring factor in the attack. For these reasons, TEHTRIS has named this campaign Color1337, where 1337 is seen as the signature of the cybercriminals. It is the port number the group uses to collect data from the compromised machines, as well as the color code used for messages on Discord.
Furthermore, the analyzed bash scripts contain commands in the Romanian language, indicating where the actor who wrote the script comes from. It is striking, for example, that DIICOT (the name of the miner that was first discovered in October 2022) is ironically also an abbreviation of a Romanian agency that investigates organized crime, cybercrime, financial crime and terrorism.
In addition to the coincidences linking the cyberattack to Romania, TEHTRIS experts have discovered certain similarities to the Romanian group behind a cryptojacking campaign tracked down by BitDefender in 2021. Since the “Update” script references a file of the same name, in combination with the previously established link to Romania, it is possible that the same group is behind this attack and has updated its tools.

“This attack campaign is another reminder that cyber attackers are massively misusing credentials. Moreover, because messaging apps such as Discord or Telegram are very popular, they are often overlooked by companies that do not monitor the links with these legitimate services. attacks are more likely to spread without being stopped,” said Laurent Oudot, co-founder and CTO of TEHTRIS.