Over 4,000 ISP IPs Targeted in Brute-Force Attacks to Deploy Info Stealers and Cryptominers
Summary:
The Splunk Threat Research Team has identified a mass exploitation campaign targeting ISP infrastructure providers on the West Coast of the United States and China. This attack, originating from Eastern Europe, primarily aims to deploy cryptomining malware while engaging in credential abuse, data exfiltration, and long-term persistence techniques. The attackers gain initial access through brute-force attacks against weak credentials, enabling them to deploy various binaries onto compromised systems. These payloads are delivered via Windows Remote Management and leverage PowerShell scripts to establish a foothold, execute additional malicious commands, and evade detection.
Once inside the environment, the attackers use lightweight tools that are difficult to detect. They deploy network scanners such as masscan.exe to enumerate open ports and identify additional targets within ISP infrastructure. The campaign involves downloading infostealers and cryptomining payloads, which are hidden inside directories. The malware is designed to perform multiple malicious functions, including exfiltrating credentials, maintaining persistence, executing lateral movement, and disabling security measures. To maintain access, the attackers modify registry settings, disable Windows Defender real-time monitoring, and terminate security-related processes. Additionally, the malware modifies file permissions using ICACLS.exe to restrict administrative access to its execution directories, making it harder to detect and remove.
The attackers use Telegram API as a command-and-control channel, allowing them to remotely issue commands, receive exfiltrated data, and deploy updates to their payloads. They employ Python-compiled executables to automate their operations, reducing their footprint and enabling them to function in restricted environments. The malware also performs clipboard hijacking by monitoring for cryptocurrency wallet addresses, replacing them with attacker-controlled addresses to steal funds. Screenshots of compromised hosts are captured and sent to the Telegram bot to provide the attackers with visual insights into the victim’s machine. The campaign includes over 4,000 verified IP addresses, specifically targeting ISP providers' infrastructure, indicating a highly strategic focus on gaining access to high-value targets.
Security Officer Comments:
Key indicators of compromise include the use of RAR SFX self-extracting archives, which allow attackers to combine malware extraction and execution in a single step, eliminating the need for manual unpacking. Additionally, the attackers use SSH brute-force techniques to pivot within compromised environments and expand their access. The malware deploys XMRig cryptocurrency miners, which hijack the victim’s processing power for illicit mining operations, often causing performance degradation in affected systems. Furthermore, the attackers implement various persistence mechanisms, including modifying registry keys, creating startup tasks, and installing services.
Suggested Corrections:
To mitigate the risks posed by this campaign, the Splunk Threat Research Team has developed a comprehensive set of security detections. These detections focus on identifying suspicious file paths, unauthorized process executions, and unusual registry modifications. The team also monitors for anomalies in Windows Remote Management (WINRM) usage, given its role in payload execution. Additional detections target malware obfuscation techniques, the use of ICACLS.exe for permission modifications, and Telegram API-based C2 communications. Organizations should also implement strong authentication practices, enforce multi-factor authentication (MFA), and restrict remote administrative access to reduce the attack surface.
Link(s):
https://thehackernews.com/2025/03/over-4000-isp-networks-targeted-in.html
The Splunk Threat Research Team has identified a mass exploitation campaign targeting ISP infrastructure providers on the West Coast of the United States and China. This attack, originating from Eastern Europe, primarily aims to deploy cryptomining malware while engaging in credential abuse, data exfiltration, and long-term persistence techniques. The attackers gain initial access through brute-force attacks against weak credentials, enabling them to deploy various binaries onto compromised systems. These payloads are delivered via Windows Remote Management and leverage PowerShell scripts to establish a foothold, execute additional malicious commands, and evade detection.
Once inside the environment, the attackers use lightweight tools that are difficult to detect. They deploy network scanners such as masscan.exe to enumerate open ports and identify additional targets within ISP infrastructure. The campaign involves downloading infostealers and cryptomining payloads, which are hidden inside directories. The malware is designed to perform multiple malicious functions, including exfiltrating credentials, maintaining persistence, executing lateral movement, and disabling security measures. To maintain access, the attackers modify registry settings, disable Windows Defender real-time monitoring, and terminate security-related processes. Additionally, the malware modifies file permissions using ICACLS.exe to restrict administrative access to its execution directories, making it harder to detect and remove.
The attackers use Telegram API as a command-and-control channel, allowing them to remotely issue commands, receive exfiltrated data, and deploy updates to their payloads. They employ Python-compiled executables to automate their operations, reducing their footprint and enabling them to function in restricted environments. The malware also performs clipboard hijacking by monitoring for cryptocurrency wallet addresses, replacing them with attacker-controlled addresses to steal funds. Screenshots of compromised hosts are captured and sent to the Telegram bot to provide the attackers with visual insights into the victim’s machine. The campaign includes over 4,000 verified IP addresses, specifically targeting ISP providers' infrastructure, indicating a highly strategic focus on gaining access to high-value targets.
Security Officer Comments:
Key indicators of compromise include the use of RAR SFX self-extracting archives, which allow attackers to combine malware extraction and execution in a single step, eliminating the need for manual unpacking. Additionally, the attackers use SSH brute-force techniques to pivot within compromised environments and expand their access. The malware deploys XMRig cryptocurrency miners, which hijack the victim’s processing power for illicit mining operations, often causing performance degradation in affected systems. Furthermore, the attackers implement various persistence mechanisms, including modifying registry keys, creating startup tasks, and installing services.
Suggested Corrections:
To mitigate the risks posed by this campaign, the Splunk Threat Research Team has developed a comprehensive set of security detections. These detections focus on identifying suspicious file paths, unauthorized process executions, and unusual registry modifications. The team also monitors for anomalies in Windows Remote Management (WINRM) usage, given its role in payload execution. Additional detections target malware obfuscation techniques, the use of ICACLS.exe for permission modifications, and Telegram API-based C2 communications. Organizations should also implement strong authentication practices, enforce multi-factor authentication (MFA), and restrict remote administrative access to reduce the attack surface.
Link(s):
https://thehackernews.com/2025/03/over-4000-isp-networks-targeted-in.html