Tag: cryptomining

17 Attack Reports | 0 Vulnerabilities

Attack reports

Stopping Sobolan Malware with Aqua Runtime Protection

A new attack campaign targeting interactive computing environments like Jupyter Notebooks has been discovered. The attack involves downloading a compressed file from a remote server, which, when executed, deploys multiple malicious tools to exploit the server and establish persistence. The campaign…
evasion
persistence
cryptomining
cloud-native
2025-03-12
runtime protection
sobolan
jupyter notebooks
Published: March 12, 2025
Downloadable IOCs: 9

Infostealer Campaign against ISPs

A campaign targeting ISP infrastructure providers on the West Coast of the United States and China has been identified. Originating from Eastern Europe, the attackers use simple tools to abuse victims' computer processing power for cryptomining and credential theft. The initial access is gained thr…
infostealer
persistence
cryptomining
brute force
2025-03-11
scripting
Published: March 11, 2025
Downloadable IOCs: 0

StaryDobry campaign targets gamers with XMRig miner

A cybercriminal campaign launched on December 31 exploited reduced vigilance during the holiday season by distributing trojanized versions of popular games via torrent sites. The attack, which lasted a month, affected users worldwide by spreading the XMRig cryptominer. The sophisticated infection c…
xmrig
cryptomining
defense evasion
gaming
multi-stage
2025-02-18
torrents
resource spoofing
Published: February 18, 2025
Downloadable IOCs: 15

Examining Redtail: Analyzing a Sophisticated Cryptomining Malware and its Advanced Tactics

This analysis focuses on redtail, a cryptocurrency mining malware that stealthily installs itself on compromised systems. The malware utilizes two additional scripts: one to identify the CPU architecture and another to remove existing cryptomining software. Observed attacks originated from IP addre…
cryptomining
redtail
2025-01-09
c3pool_miner
Published: January 9, 2025
Downloadable IOCs: 12

PacketCrypt Classic Cryptocurrency Miner on PHP Servers

A cryptocurrency mining campaign targeting vulnerable PHP servers has been identified. The attack exploits misconfigured or unpatched servers, allowing unauthorized access to php-cgi.exe. The malware, initially delivered as dr0p.exe, downloads a secondary payload pkt1.exe, which then spawns packetc…
cryptomining
CVE-2024-4577
php
2025-01-07
packetcrypt
stake-to-earn
Published: January 7, 2025
Downloadable IOCs: 6

Unpacking the Diicot Malware Targeting Linux Environments

A new malware campaign attributed to the Romanian-speaking Diicot threat group has been discovered targeting Linux systems. The campaign shows significant advancements compared to previous iterations, including modified UPX headers with corrupted checksums, advanced payload staging, and environment…
malware
linux
openssh
xmrig
persistence
cryptomining
brute-force
2024-12-17
reverse-shell
upx
Published: December 17, 2024
Downloadable IOCs: 36

Attacker Abuses Victim Resources to Reap Rewards from Titan Network

An attacker exploited the Atlassian Confluence vulnerability CVE-2023-22527 to achieve remote code execution for cryptomining via the Titan Network. The malicious actor gathered system details using public IP lookup services and various commands. Multiple shell scripts were downloaded and executed …
cryptomining
aws
ssh
remote code execution
CVE-2023-22527
atlassian confluence
2024-11-04
titan network
cassini testnet
aleo-pool
Published: November 4, 2024
Downloadable IOCs: 1

Docker Gatling Gun Campaign

Recent research has uncovered a new malicious campaign orchestrated by the notorious hacking group TeamTNT. This campaign exploits exposed Docker daemons to deploy Sliver malware, a cyber worm, and cryptominers, utilizing compromised servers and Docker Hub as infrastructure for spreading their mali…
campaign
sliver
malicious
cryptomining
docker
tsunami
2024-10-26
exposed-daemons
cloud-native
container-security
docker-swarm
docker-hub
2024-10-29
prochider
Published: October 29, 2024
Downloadable IOCs: 11

Using gRPC and HTTP/2 for Cryptominer Deployment: An Unconventional Approach

A malicious actor has been observed targeting Docker remote API servers to deploy the SRBMiner cryptominer for mining XRP cryptocurrency. The attacker utilizes the gRPC protocol over h2c (clear text HTTP/2 protocol) to evade security measures and execute cryptomining operations on Docker hosts. The…
cryptomining
docker
container security
2024-10-22
http/2
xrp
grpc
remote api
srbminer
Published: October 22, 2024
Downloadable IOCs: 2

LemonDuck Unleashes Cryptomining Attacks Through SMB Service Exploits

This report details the tactics and techniques employed by the LemonDuck cryptomining malware, which exploits the SMB service by leveraging the EternalBlue vulnerability (CVE-2017-0144). After gaining initial access through brute-force attacks, the malware creates malicious files, disables security…
persistence
malicious scripts
credential theft
cryptomining
CVE-2017-0144
lemonduck
2024-10-14
network manipulation
Published: October 14, 2024
Downloadable IOCs: 8

LemonDuck Malware Exploiting SMB Vulnerabilities

LemonDuck malware has evolved into a versatile threat, targeting both Windows and Linux systems. It exploits SMB vulnerabilities, particularly EternalBlue, to gain network access. The malware uses brute-force attacks, creates hidden administrative shares, and executes malicious actions via batch fi…
cryptomining
CVE-2017-0144
2024-10-09
lemonduck
eternalblue
smb
Published: October 9, 2024
Downloadable IOCs: 5

SIEM agent being used in SilentCryptoMiner attacks

A global malware campaign targeting mainly Russian-speaking users has been distributing cryptocurrency mining malware through fake software download sites, Telegram channels, and YouTube videos. The multi-stage infection chain uses unusual techniques for persistence and evasion, including hiding ma…
seo poisoning
persistence
autoit
cryptomining
defense evasion
2024-10-07
silentcryptominer
siem
Published: October 7, 2024
Downloadable IOCs: 8

perfctl: A Stealthy Malware Targeting Millions of Linux Servers

A sophisticated Linux malware named 'perfctl' has been actively targeting millions of servers worldwide for the past 3-4 years. It exploits over 20,000 types of misconfigurations to compromise Linux systems. The malware employs advanced evasion techniques, including rootkits, process masquerading, …
linux
rootkit
evasion
privilege-escalation
persistence
cryptomining
CVE-2023-33246
2024-10-04
tor
CVE-2021-4043
proxy-jacking
perfctl
Published: October 4, 2024
Downloadable IOCs: 9

Hadooken and K4Spreader: The 8220 Gang's Latest Arsenal

This analysis uncovers a significant infection chain targeting Windows and Linux systems through Oracle WebLogic vulnerabilities. The attackers, likely the 8220 Gang, exploit CVE-2017-10271 and CVE-2020-14883 to deploy malware including K4Spreader, Tsunami backdoor, and cryptominers. The infection …
china
botnet
cryptomining
brazil
pwnrig
tsunami
k4spreader
weblogic
hadooken
2024-10-01
CVE-2017-10271
CVE-2020-14883
Published: October 1, 2024
Downloadable IOCs: 62

From Automation to Exploitation: The Growing Misuse of Selenium Grid for Cryptomining and Proxyjacking

Two campaigns targeting Selenium Grid, a popular web testing tool, have been identified. The attacks exploit misconfigured instances lacking authentication to deploy cryptominers and proxyjacking tools. The first campaign injects a base64 encoded Python script to download and execute a reverse shel…
cryptomining
vulnerability exploitation
2024-09-17
tor
proxyjacking
perfcc
iproyal pawns
gsocket
traffmonetizer
selenium grid
Published: September 17, 2024
Downloadable IOCs: 18

Cryptomining Campaign Exploiting Grid Services

Wiz researchers discovered an ongoing threat campaign, dubbed 'SeleniumGreed', that exploits exposed Selenium Grid services for cryptomining. The campaign targets publicly accessible instances of Selenium Grid, an integral component of the widely used Selenium testing framework. By leveraging featu…
xmrig
cryptomining
threat
2024-07-30
webdriver
grid
selenium
Published: July 30, 2024
Downloadable IOCs: 14

Unveiling a Crypto Mining Operation

This report uncovers a sophisticated intrusion campaign involving several malicious modules designed to disable security solutions and execute a persistent crypto-miner. The primary payload, dubbed GHOSTENGINE, leverages vulnerable drivers to terminate and delete known endpoint detection and respon…
xmrig
2024-05-22
cryptomining
ghostengine
Published: May 22, 2024
Downloadable IOCs: 17
Click here to see more Attack Reports