Threat group is running active cryptojacking campaign
Bitdefender security researchers have discovered a threat group likely based in Romania that's been active since at least 2020. They've been targeting Linux-based machines with weak SSH credentials, mainly to deploy Monero mining malware, but their toolbox allows for other kinds of attacks.
Their activity involves obfuscating Bash scripts by compiling them with a shell script compiler (shc) and using Discord to report the information back. In addition to traditional tools such as masscan and zmap, the threat actors' toolkit includes a previously unreported SSH bruteforcer written in Golang. This tool appears to be distributed on an as-a-service model, as it uses a centralized API server. Each threat actor supplies their API key in their scripts. Like most other tools in this kit, the brute force tool has its interface in a mix of Romanian and English. This leads researchers to believe that its author is part of the same Romanian group.