Researchers Raise the Alarm on the Linux Cryptojacking Campaign

Romanian threat activity aimed at Monero mining uncovered by security researchers


Bitdefender security researchers have uncovered threat activity originating back to at least 2020. The Romanian threat actors' perceived objective is to infect Linux systems with Monero mining malware.

They have always been the Achilles heel of security-fortified systems.
They have always been the Achilles heel of security-fortified systems.
Key Facts
  1. 1

    SSH machines written in Golang have been reported as prime targets.

  2. 2

    The report has ascertained Dilicot brute as the password cracking software.

  3. 3

    It is believed that they have bags of underhanded tricks they use to maintain a low profile.


An acclaimed cybersecurity firm, Bitdefender, has released reports of a cryptojacking campaign investigation that went underway in the second quarter of the year 2021. It is quite disturbing that an activity bearing such a level of significance and threat has managed to slip under the radar of security operatives for so long. The Romanian threat group is believed to have begun operation from "at least '' 2020, as reported by the researchers. The indefinite phrase "at least" leaves surmises that this campaign could have been underway from an earlier date.

Bitdefender has attributed the two DDoS botnets, such as the Perl IRC bot and Chernobyl, to the cybercriminal gang. Their similarity is the XMRig mining payload downloaded in February 2021.

Bitdefender reported that the cryptojacking campaign was targeted at Linux servers and further detailed that they were targeting in-server machines with weak credentials. Though their goal is to inject Monero mining applications, they could also instrument other kinds of attacks.

Having a go at weak targets is common practice in any warfare or assault is common logic and is not strange considering past events, default access details, or weak credentials would prove no challenge for actors using brute-force tactics. They have always been the Achilles heel of security-fortified systems. This aspect would be split into three sections - reconnaissance, credential access, and initial access, each with an entirely different set of tools.

Executing these brute-force attacks would have been a walk, but doing it for so long undetected would require ingenious methods and high-end tools. In Bitdefender's report, the threat group has many underhanded methods they deploy to maintain secrecy. Their primary technique for secrecy is well-known amongst malicious actors and their purgers (SecOps). They compile Bash scripts with a shell script compiler (shc); the next stage uses Discord to send the information back.

Bringing Discord into the operation is not only beneficial for security evasion, but it also serves as an insuperable threat to Command and Control servers.

Investigation revealed that the Romanian group did not stop at traditional tools like zmap, masscan, Discord, they used Dilicot Brute as their password cracking tool. They also used a previously undocumented SSH brute-forcer written in Golang. This tool operates as a software-as-a-service model. Each malicious actor infused their script with an API key.

The endgame is cryptojacking, in this case: Monero. Mining Monero is so slow and tedious and is essentially a waste of time if done on a low scale. Using multiple systems would be more productive, but expensive proving to be a waste of resources at the end of the day. So these actors chose this path of using compromised devices to mine for them instead.

Get similar stories in your inbox weekly, for free

Is this news interesting? Share it with your followers

Latest stories

DevOps: Report on Devil's Practices by DORA

The report is drafted from a report release of the annual research and survey of …

Amazon Elasticsearch Gets a New Version With Name Deprecated

Accompanied by new advancements is Amazon OpenSearch, the same body of code as its predecessor, …

McAfee Partners With IBM Security to Deliver TD Synnex Security Solution

The MVISION platform and Security wing of IBM's partnership endgame are to extend increased protection …

Amazon MSK Connect Launched to Better Apache Kafka UX

Amazon follows up on its 2018 data streaming software, Amazon Managed Streaming for Apache Kafka, …

Cloud: Zone Redundant Storage Released on General Availability

The report is drafted from a press release of the Microsoft Azure team on the …

Security: IBM Traces Two-Thirds of Compromises to Misconfigured APIs

The report is drafted from a sweeping survey of dark web analysis and various X-Force …