Security researchers recently discovered a new server “hosting a large stockpile of malicious files”.
The analysis shows that malicious actors are targeting a number of organizations with the help of a command-and-control server. This server is hosting samples of ransomware and PoS malware, among others.
The analysis carried out by Cisco Talos researchers shows that the attackers were “able to obtain a deep level of access to victims’ infrastructure”. The research team also identified several of the targets, including one American manufacturing company.
The researchers discovered “a great variety of malicious files on this server, ranging from ransomware like the DopplePaymer, to credit card capture malware like the TinyPOS, as well as some loaders that execute code delivered directly from the command and control (C2).”
The diversity of data located on this server depicts how threat actors can target a large variety of organizations using the same infrastructure. The malicious tools and approaches reveal a resourceful and sophisticated adversary, who has “a widespread infrastructure shared across different operations.”
Two Targets Identified
Two recent targets of this resourceful adversary were identified during the analysis of the command and control server. The first targeted organization is an aluminum and steel gratings manufacturer based in the United States. This company was targeted with ransomware.
For the identification of the second target, the researchers deployed a process dump. However, details about the victimized organization were not revealed in the report.
In conclusion, the analysis reveals a sophisticated threat actor capable of compromising a variety of organizations, using different malware samples. One of the targets the researchers identified was attacked by ransomware, but the threat actor can also steal credit card data via PoS malware.
Based on the discoveries so far, it seems that the attacker is preferring medium-sized companies in the industrial sector. During their investigation, the researchers got in touch with several potential victims to ensure they could remediate.
This is a good example of how an attacker can be diverse during their use of infrastructure and their use of different tools, techniques and procedures (TTPs), the researchers concluded.