The latest Kaspersky report has revealed that an ongoing malicious “multi-malware” campaign has conducted more than 10,000 attacks primarily targeting global organisations.
The campaign employs backdoors, keyloggers, and miners. Using new malicious scripts designed to disable security features and facilitate malware downloads, its aim is financial exploitation.
Following an FBI report on the attacks – aimed at infecting victim organisations with miners to use its resources for mining, keyloggers to pilfer data, and backdoors to gain system access – Kaspersky experts have been tracking the campaign and discovered that it is still ongoing.
Primarily targeting organisations including government agencies, agricultural organisations, and wholesale and retail trade companies from May to October, Kaspersky’s telemetry shows more than 10,000 attacks have affected more than 200 users.
Cybercriminals predominantly targeted victims in Russia, Saudi Arabia, Vietnam, Brazil, and Romania, with occasional attacks also identified in the U.S., India, Morocco, and Greece.
Kaspersky has also exposed new malicious scripts that appear to infiltrate systems by exploiting vulnerabilities on servers and workstations.
Once inside, the scripts try to manipulate Windows Defender, gain administrator privileges, and disrupt the functionality of various antivirus products.
Following this, the scripts then attempt to download a backdoor, keylogger, and miner from a now-offline website. The miner leverages the system’s resources to generate various cryptocurrencies such as Monero (XMR).
Meanwhile, the keylogger captures the entire sequence of keystrokes made by the user on the keyboard and mouse buttons, while the backdoor establishes communication with a Command and Control (C2) server to receive and transmit data. This enables the attacker to gain remote control over the compromised system.
“This multi-malware campaign is rapidly evolving with the introduction of new modifications. The attackers’ motivation appears to be rooted in the pursuit of financial gain by any means possible.
“Our expert research suggests this could extend beyond cryptocurrency mining and may involve activities such as selling stolen login credentials on the dark web or executing advanced scenarios using the backdoor’s capabilities,” says Vasily Kolesnikov, a security expert at Kaspersky.
“Our products, such as Kaspersky Endpoint Security, can detect the infection attempts, including those made with the new modifications, thanks to their extensive protective capabilities.”