Researchers Raise the Alarm on the Linux Cryptojacking Campaign

Romanian threat activity aimed at Monero mining uncovered by security researchers


Bitdefender security researchers have uncovered threat activity originating back to at least 2020. The Romanian threat actors' perceived objective is to infect Linux systems with Monero mining malware.

They have always been the Achilles heel of security-fortified systems.
They have always been the Achilles heel of security-fortified systems.
Key Facts
  1. 1

    SSH machines written in Golang have been reported as prime targets.

  2. 2

    The report has ascertained Dilicot brute as the password cracking software.

  3. 3

    It is believed that they have bags of underhanded tricks they use to maintain a low profile.


An acclaimed cybersecurity firm, Bitdefender, has released reports of a cryptojacking campaign investigation that went underway in the second quarter of the year 2021. It is quite disturbing that an activity bearing such a level of significance and threat has managed to slip under the radar of security operatives for so long. The Romanian threat group is believed to have begun operation from "at least '' 2020, as reported by the researchers. The indefinite phrase "at least" leaves surmises that this campaign could have been underway from an earlier date.

Bitdefender has attributed the two DDoS botnets, such as the Perl IRC bot and Chernobyl, to the cybercriminal gang. Their similarity is the XMRig mining payload downloaded in February 2021.

Bitdefender reported that the cryptojacking campaign was targeted at Linux servers and further detailed that they were targeting in-server machines with weak credentials. Though their goal is to inject Monero mining applications, they could also instrument other kinds of attacks.

Having a go at weak targets is common practice in any warfare or assault is common logic and is not strange considering past events, default access details, or weak credentials would prove no challenge for actors using brute-force tactics. They have always been the Achilles heel of security-fortified systems. This aspect would be split into three sections - reconnaissance, credential access, and initial access, each with an entirely different set of tools.

Executing these brute-force attacks would have been a walk, but doing it for so long undetected would require ingenious methods and high-end tools. In Bitdefender's report, the threat group has many underhanded methods they deploy to maintain secrecy. Their primary technique for secrecy is well-known amongst malicious actors and their purgers (SecOps). They compile Bash scripts with a shell script compiler (shc); the next stage uses Discord to send the information back.

Bringing Discord into the operation is not only beneficial for security evasion, but it also serves as an insuperable threat to Command and Control servers.

Investigation revealed that the Romanian group did not stop at traditional tools like zmap, masscan, Discord, they used Dilicot Brute as their password cracking tool. They also used a previously undocumented SSH brute-forcer written in Golang. This tool operates as a software-as-a-service model. Each malicious actor infused their script with an API key.

The endgame is cryptojacking, in this case: Monero. Mining Monero is so slow and tedious and is essentially a waste of time if done on a low scale. Using multiple systems would be more productive, but expensive proving to be a waste of resources at the end of the day. So these actors chose this path of using compromised devices to mine for them instead.

Get similar news in your inbox weekly, for free

Share this news:

Latest stories

How ManageEngine Applications Manager Can Help Overcome Challenges In Kubernetes Monitoring

We tested ManageEngine Applications Manager to monitor different Kubernetes clusters. This post shares our review …

AIOps with Site24x7: Maximizing Efficiency at an Affordable Cost

In this post we'll dive deep into integrating AIOps in your business suing Site24x7 to …

A Review of Zoho ManageEngine

Zoho Corp., formerly known as AdventNet Inc., has established itself as a major player in …

Should I learn Java in 2023? A Practical Guide

Java is one of the most widely used programming languages in the world. It has …

The fastest way to ramp up on DevOps

You probably have been thinking of moving to DevOps or learning DevOps as a beginner. …

Why You Need a Blockchain Node Provider

In this article, we briefly cover the concept of blockchain nodes provider and explain why …

Top 5 Virtual desktop Provides in 2022

Here are the top 5 virtual desktop providers who offer a range of benefits such …