A recent report by the Splunk Threat Research Team has uncovered a mass exploitation campaign targeting Internet service providers (ISPs) in China and the West Coast of the United States. The campaign involves deploying information stealers and cryptocurrency miners on compromised hosts, along with delivering various binaries for data exfiltration and establishing persistence on the systems.
According to the report, the threat actors behind these attacks have been conducting minimal intrusive operations to avoid detection, primarily using tools that run on scripting languages like Python and PowerShell. This approach allows them to operate in restricted environments and utilize API calls for command-and-control operations, such as using Telegram.
The attacks have been observed to leverage brute-force attacks that exploit weak credentials, with the intrusion attempts originating from IP addresses associated with Eastern Europe. Specifically, over 4,000 IP addresses of ISP providers have been targeted in these attacks.
Once the threat actors gain initial access to target environments, they drop several executables via PowerShell to conduct network scanning, information theft, and cryptocurrency mining using XMRig by abusing the victim’s computational resources. Before executing the payloads, they disable security features and terminate services associated with cryptominer detection as a preparatory phase.
The information stealer malware employed in these attacks is capable of capturing screenshots and acts as a clipper malware designed to steal clipboard content, particularly wallet addresses for cryptocurrencies like Bitcoin, Ethereum, Binance Chain BEP2, Litecoin, and TRON. The stolen information is then exfiltrated to a Telegram bot. Additionally, a binary dropped to the infected machine launches additional payloads, including Auto.exe for downloading password and IP address lists for brute-force attacks, and Masscan.exe, a multi masscan tool.
The threat actors specifically targeted ISP infrastructure providers in the US and China, using masscan tools to scan large numbers of IP addresses for open ports and credential brute-force attacks. This targeted approach indicates a strategic focus on compromising specific CIDRs within these regions.
Overall, this campaign highlights the evolving tactics used by threat actors to target critical infrastructure providers and underscores the importance of robust cybersecurity measures to defend against such attacks. It is crucial for organizations, especially ISPs, to prioritize security protocols and continually monitor their networks for any signs of unauthorized access or malicious activity.