Researchers from Splunk have identified a sophisticated malware campaign targeting over 4,000 Internet Service Providers (ISPs) primarily located on the West Coast of the United States and in China.
The campaign, which originated from Eastern Europe, uses a combination of credential brute force attacks and stealthy malware to establish persistent access while mining cryptocurrency and stealing sensitive information.
According to the February 28, 2025 report, attackers are exploiting weak credentials to gain initial access to ISP infrastructure through Windows Remote Management (WINRM) services.
Once access is established, the threat actors deploy several malicious components, including cryptominers and information-stealing malware designed to monitor cryptocurrency transactions.
The malware infrastructure consists of multiple components, with the primary infection vector being a file called mig.rdp.exe, which is a self-extracting RAR archive.
.webp)
This file unpacks additional components including migrate.exe, which deploys cryptocurrency mining software while disabling security features and establishing persistence mechanisms.
“The threat actor used brute force techniques to gain access to accounts when passwords are unknown or when password hashes have been obtained.”
“Once the username and password was recovered, it will execute WINRM service to deploy the payload,” the researchers at Splunk noted.
A particularly concerning aspect of this campaign is the deployment of a component called MicrosoftPrt.exe, a clipboard monitoring tool that searches for cryptocurrency wallet addresses.
When detected, the malware replaces legitimate wallet addresses with those controlled by the attackers, effectively hijacking transactions.
Analysis of the Malware
The malware incorporates sophisticated techniques to maintain persistence and evade detection.
For example, it modifies file permissions using the ICACLS command to restrict access to its files, preventing administrators from easily removing the infection.
A code snippet from the malware reveals how it restricts access permissions:-
Run(@ComSpec & "/c " & "icacls " & @ScriptDir & '/deny "%username%:(R,REA,RA,RD)"', @ScriptDir, @SW_HIDE)
Run(@ComSpec & " /c " & "icacls " & @ScriptDir & ' /deny "Users:(R,REA,RA,RD)"', @ScriptDir, @SW_HIDE)
Run(@ComSpec & " /c " & "icacls " & @ScriptDir & ' /deny "Administrators:(R,REA,RA,RD))"', @ScriptDir, @SW_HIDE)The attackers also use the Telegram API as a command-and-control channel, sending stolen information including clipboard contents and screenshots to their servers.
Security teams are advised to monitor for suspicious WINRM activities and implement strong password policies to prevent similar attacks.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.