Infostealer Campaign against ISPs

March 11, 2025, 4:53 p.m.

Description

A campaign targeting ISP infrastructure providers on the West Coast of the United States and China has been identified. Originating from Eastern Europe, the attackers use simple tools to abuse victims' computer processing power for cryptomining and credential theft. The initial access is gained through brute force attacks using weak credentials. The malware has diverse functions including data exfiltration, additional crimeware deployment, self-termination to avoid detection, persistence establishment, remote access disabling, and pivot attacks to targeted CIDRs. The actors perform minimal intrusive operations, relying on scripting languages and API calls for C2 operations. The campaign specifically targets ISP infrastructure, likely for cryptomining purposes.

External References

https://www.splunk.com/en_us/blog/security/infostealer-campaign-against-isps.html
https://otx.alienvault.com/pulse/67d0453f6e8dbd8ac7c4a924
Tags
infostealer
persistence
cryptomining
brute force
2025-03-11
scripting

Date

  • Created: March 11, 2025, 2:14 p.m.
  • Published: March 11, 2025, 2:14 p.m.
  • Modified: March 11, 2025, 4:53 p.m.

Attack Patterns

  • MSTask.exe
  • wrap.exe
  • Superfetch.exe
  • ApplicationsFrame.exe
  • MicrosoftPrt.exe

Additional Informations

  • Telecommunications
  • China
  • United States of America