Splunk Threat Research Team disclose Yesterday, cryptocurrency mining malware campaigns targeting Windows servers on Amazon Web Services (AWS). Once these instances are compromised, they will be included in an encrypted botnet, which, according to the report, is related to similar activities that were active in 2018.
Splunk explained that the attack relies on the Telegram API, “malicious actors can [use to] Turn the desktop clients of the infected host into bots because they can remotely issue commands and download other tools and payloads. “The campaign effectively uses messaging services as its command and control infrastructure.
“In a typical attack on an encrypted botnet on Telegram, the attacker first broke into a Windows server and continued to install several tools found in hacker forums, such as NL Brute, KPort Scan, and NLA Checker,” Splunk said. “All these tools are aimed at Windows servers with weak passwords that use RDP protocol brute force tools.”
Once these tools are installed, the malware operators will install Telegram’s desktop client so that they can use its API to distribute Monero-related mining tools, which is a type that claims to be “private and untraceable” Cryptocurrency. This makes it an excellent choice for crypto botnet operators who want to cover their tracks. Monero also happens to be one of the few cryptocurrencies that can still generate moderate profits through CPU mining (especially if you steal CPU time).
Splunk stated that it found a “monero wallet observed in previous activities dating back to 2018”. The company also stated that the activity itself “involves the use of encrypted payloads and very similar exploitation techniques”, which may indicate that it was carried out by the same person.
AWS customers running Windows servers are advised to ensure that they regularly patch their operating systems, install the latest security updates, stop using weak passwords, and consider enabling Network-level certification To mitigate the potential impact of these brute force attacks.