CURLing for Crypto on Honeypots

Dec. 9, 2024, 11:02 a.m.

Description

An analysis of honeypot activity reveals a pattern of repeated curl commands targeting various websites, primarily originating from a single IP address. The commands, executed on multiple honeypots, focus on cryptocurrency-related sites, bot construction platforms, and communication services. The activity involves thousands of requests to each site, potentially indicating a distributed denial-of-service attempt or a cryptocurrency mining operation. The report details the methods used to analyze the data, including log parsing and visualization techniques, and provides a comprehensive list of targeted websites along with their purposes. The persistent nature of this activity, which began in November 2024 and continues, suggests an ongoing campaign with unclear motives.

Date

  • Created: Dec. 9, 2024, 8:26 a.m.
  • Published: Dec. 9, 2024, 8:26 a.m.
  • Modified: Dec. 9, 2024, 11:02 a.m.

Indicators

  • 77.91.85.134
  • 193.222.99.121
  • 178.159.43.149
  • www.gift-bnb.org
  • https://www.gogetsms.com/
  • https://www.gift-bnb.org/
  • https://umbrella.day/
  • https://token-mining.org:443
  • https://steam-up.ru
  • https://tgmaster.xyz
  • https://static.tgcube.store/
  • https://niolic.com
  • https://sambot.ru
  • https://mystars-hk.syllix.io
  • https://freeapi.bot-t.com/
  • https://jvault.xyz
  • https://jambler.io
  • https://duda.com.ua/
  • https://eth0.me
  • https://exchange-pool.com/
  • https://bottap.ru/
  • https://botman.pro
  • https://btcbot.cc
  • https://app.tbiz.pro
  • http://stk-ms.ru
  • https://santasol.fun/
  • static.tgcube.store
  • mystars-hk.syllix.io
  • keys.neovpn.online
  • freeapi.bot-t.com
  • umbrella.day
  • steam-up.ru
  • santasol.fun
  • niolic.com
  • jvault.xyz
  • express12.com
  • exchange-pool.com

Attack Patterns

Additional Informations

  • Russian Federation