Incident Details Detected Malware Files Being Served from the Main Page of saudiembassy[.]net via an Injected iframe
We have developed TIPpers, which are incidents the ThreatConnect Research team flags for your awareness, so your organization can take decisive action.
TIPper: PhotoMiner worm malware infects saudiembassy[.]net
ThreatConnect detected malware files being served from the main page of saudiembassy[.]net via an injected iframe. The files are bitcoin mining malware that spread via a type of worm called PhotoMiner. The PhotoMiner campaign is described in the following blog post: https://www.guardicore.com/2016/06/the-photominer-campaign/
The PhotoMiner worm infects FTP and web sites via a few methods. It leverages brute force attacks against known login/password pairs. It additionally attacks windows endpoints by bruteforcing SMB connections. A third method for infection is to open a public WiFi access point with the name “Free_WIFI_abc12345”. Windows endpoints that connect to the access point are then attacked via SMB brute force.
For additional details, current ThreatConnect users can access this incident by selecting this LINK in the ThreatConnect Platform.
If you do not have a ThreatConnect account, click HERE to access our Free Edition as well as 30-day access to our Subscriber Community. ThreatConnect’s Free Edition allows you to establish a basic threat intelligence practice, collaborate with your internal team, protect your organization with open source threat data, bulk import cyberthreat indicators, contribute to the ThreatConnect Community, and receive support and validation from outside researchers and analysts also using the platform. The Subscriber Community includes timely notification of threat incidents identified by the ThreatConnect Research team, an exclusive service offered at no additional charge to paying customers.