We have been watching a campaign that appears to be generating quite a bit of revenue for the threat actors. We started seeing this a few weeks back but the level of activity is increasing so we thought we would share some information with our readers.
A known accomplice
The domain associated with this activity www.pvtntwk[.]com is known to the Jigsaw Security team as well as VirusVault. We started seeing reports of malware being pushed from this domain starting a few weeks back. The reason this campaign is being so effective is that it is on a Cloudflare hosted CDN and it so far has only been detected by a few security firms.
We started seeing the activity on 7-11-2018 and it has been ongoing ever since. You can see the low detection rate here. We started seeing it trigger our heuristics detection on our FirstWatch sensors on 7-11-2018 and it has been reporting every day since indicating that it is active and picking up steam.
Jigsaw Security has previously warned about content distribution network activity. Just today we also observed another miner using Github to propagate malware that may be connected to this activity. The MAC address of the server is 10:60:4B:6B:53:35 and that has shown up in other data we have in the Jigsaw Analytic Platform.
Additional IOC's Related to this Event:
104.31.90[.]222 http://www.pvtntwk[.]com/dash/minergate[.]exe www[.]pvtntwk[.]com devinsblog[.]com http://www.pvtntwk[.]com/dash/minergate[.]exe khuyenmai247[.]net larassakabel[.]com npttech[.]com palominodb[.]com wpc-in[.]org www.betohilches.com[.]br www.palominodb[.]com www.ravenremodelingoflansing[.]com
Customers using the FirstWatch sensor are not vulnerable to these threats.