By Warren Mercer, Paul Rascagneres and Vitor Ventura.
Summary
Cisco Talos recently discovered a new server hosting a large stockpile of malicious files. Our analysis of these files shows that these attackers were able to obtain a deep level of access to victims' infrastructure — all of which allowed us to identify several targets of these attacks, including one American manufacturing company. Talos notified these targets of the attack.We found a great variety of malicious files on this server, ranging from ransomware like the DopplePaymer, to credit card capture malware like the TinyPOS, as well as some loaders that execute code delivered directly from the command and control (C2)
The data found on this server shows how malicious actors can diversify their activities to target different organizations and individuals, while still using the same infrastructure. The tools we studied paint a picture of an adversary that is resourceful and has a widespread infrastructure shared across different operations.
Targets' profiles
While performing our analysis, we identified at least two targets based on screenshots and memory dumps.Target No. 1: Based on screenshot
The first target we identified is an aluminium and stainless steel gratings company located in the U.S. This identification was made based on the screenshot from the HPE Data Protector management interface. The screenshot shows the domain name (which we have redacted), thus leading us to the co ..
Support the originator by clicking the read the rest link below.
