U.S. West Coast- and China-based internet service providers had more than 4,000 of their IP addresses subjected to an extensive brute-force attack campaign spreading information-stealing malware and cryptocurrency mining payloads, The Hacker News reports.
After achieving initial compromise through the abuse of weak credentials, attackers leveraging Eastern Europe-linked IP addresses performed network scanning and deactivated threat detection systems before proceeding with infostealer and XMRig cryptominer deployment, an investigation from the Splunk Threat Research Team revealed.
Such an infostealer not only obtained screenshots but also compromised clipboard-stored Bitcoin, Binance Chain BEP2, Ethereum, Litecoin, and TRON wallet addresses, which were eventually sent to a Telegram bot.
Additional findings showed impacted devices to be injected with a binary that facilitated the execution of the Auto.exe file for brute-force intrusions and the Masscan.exe multi masscan tool.
"This actor also moves and pivots primarily by using tools that depend and run on scripting languages (e.g., Python and Powershell), allowing the actor to perform under restricted environments and use API calls (e.g., Telegram) for [command-and-control] operations," said researchers.
