The Splunk Threat Research Team has reported a mass exploitation campaign targeting Internet service providers (ISPs) in China and the U.S. West Coast, deploying information stealing malware and cryptocurrency miners on compromised systems. The attacks are characterized by stealthy operations, using scripting languages like Python and Powershell, leveraging brute-force methods, and utilizing over 4,000 compromised IP addresses primarily from Eastern Europe. Attackers aim to capture sensitive information and exploit the target systems for cryptomining while disabling security mechanisms to enhance their persistence in the environment.
The actor also moves and pivots primarily by using tools that depend and run on scripting languages, allowing the actor to perform under restricted environments and use API calls for C2 operations.
The attacks have been found to drop several executables via PowerShell to conduct network scanning, information theft, and XMRig cryptocurrency mining by abusing the victim's computational resources.
Collection
[
|
...
]