The internet service providers (ISPs) in China and the West Coast of the United States have become the target of a large-scale exploitation campaign. This campaign involves the deployment of information stealers and cryptocurrency miners on compromised hosts.

The findings, reported by the Splunk Threat Research Team, reveal that the malicious activity has led to the delivery of various binaries. These binaries facilitate data exfiltration and establish persistence on the compromised systems.

The unidentified threat actors have performed “minimal intrusive operations to avoid detection, with the exception of artifacts created by accounts already compromised,” according to a technical report published by Cisco-owned Splunk.

These threat actors primarily use tools that depend on scripting languages, such as Python and Powershell, allowing them to operate under restricted environments. They also utilize API calls, like Telegram, for command-and-control (C2) operations.

The attacks have been observed to leverage brute-force attacks, exploiting weak credentials. These intrusion attempts originate from IP addresses associated with Eastern Europe, targeting over 4,000 IP addresses of ISP providers.

Upon gaining initial access to the target environments, the attacks drop several executables via PowerShell. These executables conduct network scanning, information theft, and XMRig cryptocurrency mining by abusing the victim’s computational resources.

Prior to the payload execution, there is a preparatory phase that involves turning off security product features and terminating services associated with cryptominer detection.

The stealer malware can capture screenshots and functions as a clipper malware, designed to steal clipboard content by searching for wallet addresses of various cryptocurrencies, including Bitcoin (BTC), Ethereum (ETH), Binance Chain BEP2 (ETHBEP2), Litecoin (LTC), and TRON (TRX).

The gathered information is then exfiltrated to a Telegram bot. Additionally, a binary is dropped onto the infected machine, which launches additional payloads, including:

• Auto.exe: Designed to download a password list (pass.txt) and a list of IP addresses (ip.txt) from its C2 server for carrying out brute-force attacks.
• Masscan.exe: A multi masscan tool used for scanning large numbers of IP addresses.

Splunk noted that the actor targeted specific CIDRs of ISP infrastructure providers located on the West Coast of the United States and in China. These IPs were targeted using a masscan tool, which allows operators to scan large numbers of IP addresses and subsequently probe for open ports and credential brute-force attacks.