Internet service providers (ISPs) in China and the West Coast of the United States have become the target of a mass exploitation campaign that deploys information stealers and cryptocurrency miners on compromised hosts.
The findings come from the Splunk Threat Research Team, which said the activity also led to the delivery of various binaries that facilitate data exfiltration as well as offer ways to establish persistence on the systems.
The unidentified threat actors performed “minimal intrusive operations to avoid detection, with the exception of artifacts created by accounts already compromised,” the Cisco-owned company said in a technical report published last week.
“This actor also moves and pivots primarily by using tools that depend and run on scripting languages (e.g., Python and Powershell), allowing the actor to perform under restricted environments and use API calls (e.g., Telegram) for C2 [command-and-control] operations.”
The attacks have been observed leveraging brute-force attacks exploiting weak credentials. These intrusion attempts originate from IP addresses associated with Eastern Europe. Over 4,000 IP addresses of ISP providers are said to have been specifically targeted.
Upon obtaining initial access to target environments, the attacks have been found to drop several executables via PowerShell to conduct network scanning, information theft, and XMRig cryptocurrency mining by abusing the victim’s computational resources.
Prior to the payload execution is a preparatory phase that involves turning off security product features and terminating services associated with cryptominer detection.
The stealer malware, besides featuring the ability to capture screenshots, serves akin to a clipper malware that’s designed to steal clipboard content by searching for wallet addresses for cryptocurrencies such as Bitcoin (BTC), Ethereum (ETH), Binance Chain BEP2 (ETHBEP2), Litecoin (LTC), and TRON (TRX).
The gathered information is subsequently exfiltrated to a Telegram bot. Also dropped to the infected machine is a binary that, in turn, launches additional payloads –
- Auto.exe, which is designed to download a password list (pass.txt) and list of IP addresses (ip.txt) from its C2 server for carrying out brute-force attacks
- Masscan.exe, a multi masscan tool
“The actor targeted specific CIDRs of ISP infrastructure providers located on the West Coast of the United States and in the country of China,” Splunk said.
“These IPs were targeted by using a masscan tool which allows operators to scan large numbers of IP addresses which can subsequently be probed for open ports and credential brute-force attacks.”
