Internet service providers (ISPs) on the west coast of China and the US have been targeted by mass exploitation campaigns that deploy information stolen goods and cryptocurrency miners to compromised hosts.
The findings came from the Splunk Threat Research team, who said the activity also led to the provision of various binaries that promote data delamination and provide a way to establish system persistence.
The Cisco-owned company said in a technical report released last week.
“The actor also moves and pivots using tools that rely primarily on scripting languages (such as Python and Powershell) to run. [command-and-control] Operation. ”
Attacks have been observed to take advantage of brute force attacks that utilize weak credentials. These intrusion attempts arise from IP addresses associated with Eastern Europe. It is said that more than 4,000 IP addresses from ISP providers have been specifically targeted.
Upon gaining initial access to the target environment, we found that the attack would drop multiple executables via PowerShell to carry out network scans, information theft, and Xmrig cryptocurrency mining by abusing the victim’s computational resources.
Before running the payload, it is a preparatory stage that involves turning off the functionality of the security product and termination of services related to CryptoMiner discovery.
In addition to feature the ability to capture screenshots, Steeler Malware offers something similar to Clipper malware designed to steal clipboard content by searching for wallet addresses for cryptocurrency such as Bitcoin (BTC), Ethereum (ETH), Vinance Chain BEP2 (ETHBEP2), Litecoin (LTC), TROX, and more.
The collected information is then extended to the telegram bot. Also, what is dropped on the infected machine is a binary that launches additional payloads –
Auto.exe is designed to download a list of password lists (pass.txt) and IP addresses (ip.txt) from a C2 server to perform brute force attacks.
“The actor targeted specific CIDRs of ISP infrastructure providers in the US West Coast and China countries,” Splunk said.
“These IPs were targeted by using MassCan tools that allow operators to scan numerous IP addresses that can be probed for open ports and credential attacks.”
Source link
