A mass exploitation campaign has targeted over 4,000 ISP IP addresses, primarily located in China and the US West Coast, to deploy information stealers and cryptocurrency miners. The attackers leveraged brute-force methods, exploiting weak credentials to gain access to the compromised systems. This intrusion allowed them to execute a series of payloads that carried out network scanning, information theft, and cryptocurrency mining using the victim’s resources. The malicious actions were carried out with minimal intrusion to avoid detection, with compromised accounts used to minimize the footprint of their operations.
Once the attackers gained access, they used PowerShell scripts to drop executables onto the infected systems.
These tools facilitated further actions such as data exfiltration and the execution of XMRig cryptocurrency mining software. The malware also targeted specific infrastructure related to ISPs and used a masscan tool to scan large IP ranges for open ports, enabling the brute-forcing of credentials. The attackers also deployed binaries that helped in establishing persistence on the systems, ensuring that they remained within the networks for extended periods.
One of the key features of the malware was its ability to function as a stealer, capturing screenshots and searching for cryptocurrency wallet addresses in the clipboard.
It specifically looked for wallet addresses associated with popular cryptocurrencies like Bitcoin, Ethereum, and Litecoin. This information was then exfiltrated to a Telegram bot, further complicating detection efforts. The attackers also employed techniques like disabling security product features and terminating any services associated with cryptominer detection to ensure the mining software could run undetected.
The attackers used Python and PowerShell to execute their operations, which allowed them to perform actions in restricted environments and use APIs like Telegram for command-and-control (C2) communication. This reliance on scripting languages helped them bypass traditional security measures and operate covertly within the targeted environments. Overall, the campaign demonstrated a sophisticated use of available tools and techniques, with a focus on maintaining stealth and persistence while conducting cryptocurrency mining and data exfiltration operations.
