Security researchers recently discovered a new server “hosting a large stockpile of malicious files”.
The analysis shows that malicious actors are targeting a number of organizations with the help of a command-and-control server. This server is hosting samples of ransomware and PoS malware, among others.
The analysis carried out by Cisco Talos researchers shows that the attackers were “able to obtain a deep level of access to victims’ infrastructure”. The research team also identified several of the targets, including one American manufacturing company.
The researchers discovered “a great variety of malicious files on this server, ranging from ransomware like the DopplePaymer, to credit card capture malware like the TinyPOS, as well as some loaders that execute code delivered directly from the command and control (C2).”
The diversity of data located on this server depicts how threat actors can target a large variety of organizations using the same infrastructure. The malicious tools and approaches reveal a resourceful and sophisticated adversary, who has “a widespread infrastructure shared across different operations.”
Two Targets Identified
Two recent targets of this resourceful adversary were identified during the analysis of the command and control server. The first targeted organization is an aluminum and steel gratings manufacturer based in the United States. This company was targeted with ransomware.
For the identification of the second target, the researchers deployed a process dump. However, details about the victimized organization were not revealed in the report.
In conclusion, the analysis reveals a sophisticated threat actor capable of compromising a variety of organizations, using different malware samples. One of the targets the researchers identified was attacked by ransomware, but the threat actor can also steal credit card data via PoS malware.
Based on the discoveries so far, it seems that the attacker is preferring medium-sized companies in the industrial sector. During their investigation, the researchers got in touch with several potential victims to ensure they could remediate.
This is a good example of how an attacker can be diverse during their use of infrastructure and their use of different tools, techniques and procedures (TTPs), the researchers concluded.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: