A massive attack targets ISPs in China and the U.S. West Coast to deploy info stealers and crypto miners on compromised systems.
The Splunk Threat Research Team discovered a mass exploitation campaign from Eastern Europe targeting ISPs in China and the U.S. West Coast to deploy info stealers and crypto miners. Threat actors use weak credential brute force to gain access to target systems, then deploy cryptocurrency miners and crimeware with capabilities like data exfiltration, persistence, self-termination, and pivot attacks. The malware disables remote access to entrench itself further.
“The Splunk Threat Research Team observed actors performing minimal intrusive operations to avoid detection, with the exception of artifacts created by accounts already compromised. This actor also moves and pivots primarily by using tools that depend and run on scripting languages (e.g., Python and Powershell), allowing the actor to perform under restricted environments and use API calls (e.g., Telegram) for C2 operations.” reads the report published by Splunk. “The IP CIDR ranges observed indicate specific targeting of ISP infrastructure, likely with the purpose of performing cryptomining operations (XMR).”
Once attackers gain access, they use PowerShell to drop binaries in a folder named “Migration” and use tools like masscan.exe for network scanning. Before execution, they disable security features and terminate services that detect cryptominers.
Payloads observed by the experts include info stealers, crypto miners, and SSH-based C2 connections. The folder also contains text files listing over 4,000 target IPs and passwords, focusing on ISPs in China and the U.S. West Coast.
“Upon decoding the PowerShell scripts, as seen in the code block below, the threat actor is attempting to prepare the compromised system for further payload execution. This preparation involves disabling security product features and terminating or stopping services associated with cryptominer detection.” continues the report. “Additionally, numerous PowerShell script executions via the WINRM service exhibit behavior identical to one of the executables we discovered, the x64.exe, “
The malware can take screenshots of the compromised host and capture cryptocurrency wallet addresses from the clipboard. Then the malicious code sends the captured data to its C2 server, which operates via a Telegram bot.
“The actions observed by this actor during the entrenchment and subsequent operations within the targeted hosts appear to rely on scripting languages (e.g., Python-compiled executables, PowerShell commands) reducing the footprint of these operations to the minimum, disabling defense mechanisms, blocking remote access and avoiding detection by using Telegram API calls to the C2.” concludes the report. “These actions could be described as “just enough” to successfully operate on victims and obtain as much processing power as possible. “
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, crypto miners)
