Over 4,000 ISP IPs Targeted in Brute-Force Attacks to Deploy Info Stealers and Cryptominers

Avatar
Internet service providers (ISPs) in China and the West Coast of the United States have become the target of a mass exploitation campaign that deploys information stealers and cryptocurrency miners on compromised hosts. The findings come from the Splunk Threat Research Team, which said the activity also led to the delivery of various binaries that facilitate data exfiltration as well as offer
[[{“value”:”

Internet service providers (ISPs) in China and the West Coast of the United States have become the target of a mass exploitation campaign that deploys information stealers and cryptocurrency miners on compromised hosts.

The findings come from the Splunk Threat Research Team, which said the activity also led to the delivery of various binaries that facilitate data exfiltration as well as offer ways to establish persistence on the systems.

The unidentified threat actors performed “minimal intrusive operations to avoid detection, with the exception of artifacts created by accounts already compromised,” the Cisco-owned company said in a technical report published last week.

“This actor also moves and pivots primarily by using tools that depend and run on scripting languages (e.g., Python and Powershell), allowing the actor to perform under restricted environments and use API calls (e.g., Telegram) for C2 [command-and-control] operations.”

The attacks have been observed leveraging brute-force attacks exploiting weak credentials. These intrusion attempts originate from IP addresses associated with Eastern Europe. Over 4,000 IP addresses of ISP providers are said to have been specifically targeted.

Upon obtaining initial access to target environments, the attacks have been found to drop several executables via PowerShell to conduct network scanning, information theft, and XMRig cryptocurrency mining by abusing the victim’s computational resources.

Prior to the payload execution is a preparatory phase that involves turning off security product features and terminating services associated with cryptominer detection.

The stealer malware, besides featuring the ability to capture screenshots, serves akin to a clipper malware that’s designed to steal clipboard content by searching for wallet addresses for cryptocurrencies such as Bitcoin (BTC), Ethereum (ETH), Binance Chain BEP2 (ETHBEP2), Litecoin (LTC), and TRON (TRX).

The gathered information is subsequently exfiltrated to a Telegram bot. Also dropped to the infected machine is a binary that, in turn, launches additional payloads –

Auto.exe, which is designed to download a password list (pass.txt) and list of IP addresses (ip.txt) from its C2 server for carrying out brute-force attacks
Masscan.exe, a multi masscan tool

“The actor targeted specific CIDRs of ISP infrastructure providers located on the West Coast of the United States and in the country of China,” Splunk said.

“These IPs were targeted by using a masscan tool which allows operators to scan large numbers of IP addresses which can subsequently be probed for open ports and credential brute-force attacks.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Total
0
Shares
Previous Post

Cisco, Hitachi, Microsoft, and Progress Flaws Actively Exploited—CISA Sounds Alarm

Next Post

Suspected Iranian Hackers Used Compromised Indian Firm’s Email to Target U.A.E. Aviation Sector

Related Posts

Webinar: Learn How to Stop Encrypted Attacks Before They Cost You Millions

Ransomware isn’t slowing down—it’s getting smarter. Encryption, designed to keep our online lives secure, is now being weaponized by cybercriminals to hide malware, steal data, and avoid detection.The result? A 10.3% surge in encrypted attacks over the past year and some of the most shocking ransom payouts in history, including a $75 million ransom in 2024. Are you prepared to fight back? Join
Avatar
Read More