A sophisticated malware campaign originating from Eastern Europe has compromised over 4,000 Internet Service Providers (ISPs) across the West Coast of the United States and China, granting attackers remote access to critical infrastructure.
Researchers from the Splunk Threat Research Team have identified this large-scale exploitation campaign, which leverages brute-force attacks, credential theft, and cryptomining payloads to infiltrate ISP systems.
The attack begins with brute-force techniques targeting weak credentials (classified under MITRE ATT&CK’s Initial Access T1078).
Once access is gained, the attackers deploy multiple malicious binaries, including infostealer payloads and cryptominers.
These binaries are hidden in directories labeled “Migration” to evade detection.
The malware also uses scripting languages like Python and PowerShell to execute commands in restricted environments, further complicating detection efforts.
The attackers utilize Windows Remote Management (WINRM) services to execute encoded PowerShell scripts, disabling security features such as Windows Defender and modifying system permissions to maintain persistence.
One of the primary payloads, “mig.rdp.exe,” acts as a self-extracting archive that drops additional malware components, including clipbankers for cryptocurrency theft and XMRig miners for cryptojacking operations.
Advanced Techniques for Persistence and Evasion
The malware employs various defense evasion tactics, including disabling real-time antivirus monitoring and modifying directory permissions using Windows utilities like ICACLS.
It also removes traces of its presence by deleting dropped files after execution. To ensure persistence, the attackers create startup entries and install malicious components as Windows services.
A notable feature of this campaign is its use of Telegram bots for Command-and-Control (C2) communication.
The collected data ranging from compromised credentials to cryptocurrency wallet addresses is exfiltrated via Telegram API calls.
This method provides an additional layer of anonymity for the threat actors.
Targeted Infrastructure and Tools
The campaign specifically targets ISP infrastructure by scanning IP ranges using tools like “masscan.exe.”
The malware downloads password lists and IP address datasets from its C2 servers to brute-force SSH connections and open WINRM ports on vulnerable systems.
Once access is established, the attackers pivot within the network to expand their foothold.
Splunk researchers noted that over 4,000 IP addresses belonging to ISPs were targeted in this campaign.
The ultimate goal appears to be leveraging ISP resources for cryptomining operations while simultaneously exfiltrating sensitive data.
This attack underscores the growing sophistication of cybercriminals targeting critical infrastructure providers.
By combining brute-force attacks with advanced persistence mechanisms and cryptojacking tools, these actors can exploit ISP resources while avoiding detection.
To mitigate such threats, organizations are advised to enforce strong password policies, monitor unusual system activity (e.g., PowerShell execution via WINRM), and implement endpoint detection solutions capable of identifying suspicious file paths or unauthorized script executions.
Splunk has released a suite of detections to help security teams identify indicators associated with this campaign.
As cyberattacks on infrastructure providers increase in frequency and complexity, proactive monitoring and robust defense strategies remain critical in safeguarding against such threats.
.){kind=link}