A recent cryptojacking attack campaign has been targeting Apache web servers, specifically those running on Windows. This campaign has been identified and monitored by the AhnLab Security Emergency Response Center (ASEC), a South Korean security agency. The attack involves installing XMRig Coinminer on the targeted servers. The threat actors behind this campaign have utilized the Cobalt Strike tool, a legitimate software used for penetration testing that has been repurposed by attackers, as a medium to launch these attacks. The campaign targets poorly managed or vulnerable web servers, particularly those with unpatched vulnerabilities. This represents a significant security threat, as Apache web servers are widely used in various environments, including Linux, though in this case, the focus has been on those running on Windows systems.
IoC
URL
- http://www.beita.site/api/2:2053
- http://121.135.44.49:808/updates.rss
- http://121.135.44.49:808/ptj
- http://121.135.44.49:808/ga.js
- http://121.135.44.49:808/a4vR
hostname
- www.beita.site
- gd.one188.one
IPv4
- 202.30.19.218
- 121.135.44.49
SHA256
- ddc6ec41d3fb93bcdb6c6730f2b3d89fabe3623234cce15ea9fe1a78fc641e82
REFERECES
- https://www.securitricks.com/cryptojacking-attack-campaign-against-apache-web-servers-using-cobalt-strike-wednesday-november-22-2023/#:~:text=Cryptojacking%20Attack%20Campaign%20Against%20Apache,11
- https://otx.alienvault.com/pulse/655e17bd280ae5a6d043b267
- https://cybersecuritynews.com/hackers-attacking-apache-web-servers/#:~:text=November%2021%2C%202023%20An%20attack,systems%20with%20APT%20and%20ransomware
TAGS
- apache web server, xmrig, cobalt strike, gh0st rat
No comments:
Post a Comment