Worldwide “multi-malware” campaign targets organizations using backdoor, keylogger, and miner

The latest Kaspersky report revealed that an ongoing malicious “multi-malware” campaign has conducted more than 10,000 attacks primarily targeting global organizations. The campaign employs backdoors, keyloggers, and miners. Using new malicious scripts designed to disable security features and facilitate malware downloads, its aim is financial exploitation. 

Following an FBI report on the attacks – aimed at infecting victim organizations with miners to use its resources for mining, keyloggers to pilfer data, and backdoors to gain system access – Kaspersky experts have been tracking the campaign and discovered that it is still ongoing. 

Primarily targeting organizations including government agencies, agricultural organizations, and wholesale and retail trade companies from May to October, Kaspersky’s telemetry shows more than 10,000 attacks have affected more than 200 users. Cybercriminals predominantly targeted victims in Russia, Saudi Arabia, Vietnam, Brazil, and Romania, with occasional attacks also identified in the U.S., India, Morocco, and Greece. 

Kaspersky has also exposed new malicious scripts that appear to infiltrate systems by exploiting vulnerabilities on servers and workstations. Once inside, the scripts try to manipulate Windows Defender, gain administrator privileges, and disrupt the functionality of various antivirus products. 

Following this, the scripts then attempt to download a backdoor, keylogger, and miner from a now-offline website. The miner leverages the system’s resources to generate various cryptocurrencies such as Monero (XMR). Meanwhile, the keylogger captures the entire sequence of keystrokes made by the user on the keyboard and mouse buttons, while the backdoor establishes communication with a Command and Control (C2) server to receive and transmit data. This enables the attacker to gain remote control over the compromised system. 

“This multi-malware campaign is rapidly evolving with the introduction of new modifications. The attackers’ motivation appears to be rooted in the pursuit of financial gain by any means possible. Our expert research suggests this could extend beyond cryptocurrency mining and may involve activities such as selling stolen login credentials on the dark web or executing advanced scenarios using the backdoor’s capabilities,” says Vasily Kolesnikov, a security expert at Kaspersky. “Our products, such as Kaspersky Endpoint Security, can detect the infection attempts, including those made with the new modifications, thanks to their extensive protective capabilities.”

The technical analysis of the campaign is available on the Securelist.com. To avoid ever evolving cyberthreats, it is worth implementing the following security measures: 

• Always keep software updated on all the devices you use to prevent attackers from infiltrating your network by exploiting vulnerabilities.
• Install patches for new vulnerabilities as soon as possible. Once they are downloaded, threat actors can no longer abuse the vulnerability. 
• Perform a regular security audit of an organization’s IT infrastructure to reveal gaps and vulnerable systems;
• Choose a proven endpoint security solution such as Kaspersky Endpoint Security for Business that is equipped with behavior-based detection and anomaly control capabilities for effective protection against known and unknown threats. The solution has application and web control to minimize the chance for cryptominers to be launched; behavior analysis helps quickly detect malicious activity, while vulnerability and patch manager protects from cryptominers that exploit vulnerabilities. 
• Since the stolen credentials may be put up for sale on the dark web, use Kaspersky Digital Footprint Intelligence to monitor shadow resources and promptly identify related threats