Threat Actors' Systems Can Also Be Exposed and Used by Other Threat Actors

June 6, 2024, 8:06 a.m.

Description

This report discusses a case where a CoinMiner threat actor's proxy server, used to access an infected botnet, became the target of a ransomware threat actor's Remote Desktop Protocol (RDP) scan attack. The ransomware threat actor successfully breached the proxy server and distributed ransomware to the CoinMiner's botnet. The report analyzes the sequence of events and explores the possibility of the attack being intentional or accidental.

Date

Published: June 6, 2024, 7:22 a.m.

Created: June 6, 2024, 7:22 a.m.

Modified: June 6, 2024, 8:06 a.m.

Indicators

de374c1b9a05c2203e66917202c42d11eac4368f635ccaaadf02346035e82562

bc12d3944a21898a2184c190b1ccf141aa38a2ec37f168ff9711e37296afe87c

9ac07d483ed3e055f48dbf031889e51e055bddf16058abb0239af1f0a9cb15dd

9933bd1c96391353eea9986844d283c066d290e3a57df8a4871b4ddc41408d76

90b5cd03b6de6584d47f5ab2d9cbd3eed3ed68d7db4e806b1e327d59ec0a6cde

8ef1fa3f0ce9bb29a5a676a0ca7af67dc554617a8595b1043d1eb9176c248934

8c57b97b04d7eabbae651c3400a5e6b897aea1ae8964507389340c44b99c523a

82dd3926a416016bb5747eab624285c5013ce8ea5a8ae017027bd5c8181d3174

64788b6f74875aed53ca80669b06f407e132d7be49586925dbb3dcde56cbca9c

5e85446910e732111ca9ac90f9ed8b1dee13c3314d2c5117dcf672994ce73bd6

4de048ad33f0a710a226d193f92f20417da5ba3628f79b0e25cbe83b0c979fc0

26a3395a4115355e897a7daf04551eba5e62da661d8dbae7c99205a2e74d24ba

1e5a90b5dcd4768964454cdf659620f5939464c6073f1dfc5d9306a869b609d1

0a5be1c9541e0fadce5f1928d3bb95367baef9ce59d487688662b100e88aabf5

e71cda5e7c018f18aefcdfbce171cfeee7b8d556e5036d8b8f0864efc5f2156b

816d7616238958dfe0bb811a063eb3102efd82eff14408f5cab4cb5258bfd019

7a313840d25adf94c7bf1d17393f5b991ba8baf50b8cacb7ce0420189c177e26

205818e10c13d2e51b4c0196ca30111276ca1107fc8e25a0992fe67879eab964

46.59.214.14

47.99.155.111

46.59.210.69

223.223.188.19

185.141.26.116

84.46.22.158

http://84.46.22.158:7000

http://46.59.214.14:7000

http://46.59.210.69:7000

http://185.141.26.116/winupdate.css

http://185.141.26.116/stats.php

http://185.141.26.116/hotfixl.ico

Attack Patterns

Ransomware

Havex

Backdoor.Oldrea - S0093

Phobos

CoinMiner

T1534

T1572

T1189

T1021

T1486

T1105

T1053

T1195

T1078

T1003

T1059