Internet services providers (providers) in China and the West coast of the United States have been the goal of a massive company that deployed the theft of cryptocurrency information and miners on compromised hosts.
The resulting data come from the SPLUNK research group, which states that the activity also led to the delivery of various binary files that facilitate the data of the data, as well as the ways to establish persistence in the systems.
Unknown threaten subjects conducted “minimum intrusive operations to avoid detection, except for artifacts created in accounts that have already been compromised”, a company owned by Cisco – Note In a technical report published last week.
“This actor also moves and turns first, using the tools that depend and run in scripting languages (such as Python and PowerShell), allowing the actor to perform in limited environments and use API bells (such as telegram) for C2 operations (commands and control).”
The attacks were observed using gross attacks that exploit weak powers. These invasion attempts arise with IP -units related to Eastern Europe. More than 4,000 IP providers are said to have been specifically oriented.
After receiving its initial access conditions, it was found that the attacks are rejecting several executable files through PowerShell to conduct a network scan, theft of Xmrig cryptocurrency mining, abusing the victim’s computing resources.
Prior to the useful load, there is a preparatory stage, which includes disabling safety products and stopping services related to Cryptominer.
Malicious software for theft, in addition to show the ability to shoot screenshots, serves like Malicious software for Clipper This is designed for theft of the contents of the clipboard, looking for a wallet for cryptocurrencies such as Bitcoin (BTC), Ethereum (ETH), Binance Bep2 (ETHBEP2), Litecoin (LTC) and TRON (TRX).
In the future, the collected information is released to the Telegram bot. Also fell on an infected car – a binary, which in turn launches additional useful loads –
- Auto.exe, which is designed to download the password list (Pass.txt) and the IP address list
- Masscan.exe, multiple tool
“The actor is aimed at certain Cidrs ISPs providents located on the West coast of the United States and China,” Rublko said.
“These IP were directed using the Masscan tool, which allows the operators to scan a large number of IP addresses that can be conducted in the future for open ports and accounting attacks.”
