This article details the malicious activities linked to Proton66 ASN, including mass scanning, exploitation attempts, and several malware campaigns targeting various sectors, notably Android users through compromised WordPress sites and specific threat actors like the XWorm and Strela Stealer. Affected: Android users, Korean-speaking users, German-speaking countries, organizations worldwide.
Keypoints :
- Proton66 ASN observed increased malicious activities including scanning and exploitation.
- Compromised WordPress websites were used to target Android device users with phishing schemes.
- Specific phishing domains were created to mimic the Google Play Store.
- XWorm campaign targeted Korean-speaking users through deceptive chat rooms and social engineering.
- Strela Stealer was utilized to exfiltrate credentials from email clients in German-speaking countries.
- WeaXor ransomware was found to be linked to the Proton66 network, demanding ransom payments.
- Trustwave recommends blocking CIDR ranges associated with Proton66 and Chang Way Technologies.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: Protocol used for malicious traffic by communicating with C2 servers.
- T1499 – Endpoint Denial of Service: Exploit attempts targeted at resource exhaustion through mass scanning activities.
- T1189 – Drive-by Compromise: Exploited vulnerable WordPress sites to deliver malicious payloads to users.
- T1203 – Exploitation for Client Execution: Use of compromised sites to redirect users to phishing pages.
- T1001 – Data Obfuscation: Obfuscation used in redirector scripts to avoid detection.
Indicator of Compromise :
- [IP] 91.212.166.21
- [IP] 91.212.166.146
- [URL] www-kodi.com/getupd.js
- [SHA256] e55b6664c77a9f3a98b32f46a20c2e392dcc7f1717fb69447e4e4229c7b6985d
- [URL] my-tasjeel-ae.com/getid.js