CURLing for Crypto on Honeypots
Dec. 9, 2024, 11:02 a.m.
Tags
External References
Description
An analysis of honeypot activity reveals a pattern of repeated curl commands targeting various websites, primarily originating from a single IP address. The commands, executed on multiple honeypots, focus on cryptocurrency-related sites, bot construction platforms, and communication services. The activity involves thousands of requests to each site, potentially indicating a distributed denial-of-service attempt or a cryptocurrency mining operation. The report details the methods used to analyze the data, including log parsing and visualization techniques, and provides a comprehensive list of targeted websites along with their purposes. The persistent nature of this activity, which began in November 2024 and continues, suggests an ongoing campaign with unclear motives.
Date
Published: Dec. 9, 2024, 8:26 a.m.
Created: Dec. 9, 2024, 8:26 a.m.
Modified: Dec. 9, 2024, 11:02 a.m.
Indicators
77.91.85.134
193.222.99.121
178.159.43.149
www.gift-bnb.org
https://www.gogetsms.com/
https://www.gift-bnb.org/
https://umbrella.day/
https://token-mining.org:443
https://steam-up.ru
https://tgmaster.xyz
https://static.tgcube.store/
https://niolic.com
https://sambot.ru
https://mystars-hk.syllix.io
https://freeapi.bot-t.com/
https://jvault.xyz
https://jambler.io
https://duda.com.ua/
https://eth0.me
https://exchange-pool.com/
https://bottap.ru/
https://botman.pro
https://btcbot.cc
https://app.tbiz.pro
http://stk-ms.ru
https://santasol.fun/
static.tgcube.store
mystars-hk.syllix.io
keys.neovpn.online
freeapi.bot-t.com
umbrella.day
steam-up.ru
santasol.fun
niolic.com
jvault.xyz
express12.com
exchange-pool.com
Attack Patterns
T1583
T1571
T1016
T1082
T1595
T1046
T1584
T1190
Additional Informations
Russian Federation