{ "name": "CURLing for Crypto on Honeypots", "slug": "curling-for-crypto-on-honeypots", "description": "An analysis of honeypot activity reveals a pattern of repeated curl commands targeting various websites, primarily originating from a single IP address. The commands, executed on multiple honeypots, focus on cryptocurrency-related sites, bot construction platforms, and communication services. The activity involves thousands of requests to each site, potentially indicating a distributed denial-of-service attempt or a cryptocurrency mining operation. The report details the methods used to analyze the data, including log parsing and visualization techniques, and provides a comprehensive list of targeted websites along with their purposes. The persistent nature of this activity, which began in November 2024 and continues, suggests an ongoing campaign with unclear motives.", "published": "2024-12-09T07:26:54+00:00", "created_at": "2024-12-09T07:26:54+00:00", "modified_at": "2024-12-09T10:02:32+00:00", "created_at_opencti": "2024-12-09T07:26:54+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-12-09", "botnet", "cowrie", "cryptocurrency", "curl", "ddos", "honeypot", "mining", "siem", "telegram" ], "related_entities": { "observables": [ { "id": "", "name": "77.91.85.134" }, { "id": "", "name": "193.222.99.121" }, { "id": "", "name": "178.159.43.149" }, { "id": "", "name": "www.gift-bnb.org" }, { "id": "", "name": "https://www.gogetsms.com/" }, { "id": "", "name": "https://www.gift-bnb.org/" }, { "id": "", "name": "https://umbrella.day/" }, { "id": "", "name": "https://token-mining.org:443" }, { "id": "", "name": "https://steam-up.ru" }, { "id": "", "name": "https://tgmaster.xyz" }, { "id": "", "name": "https://static.tgcube.store/" }, { "id": "", "name": "https://niolic.com" }, { "id": "", "name": "https://sambot.ru" }, { "id": "", "name": "https://mystars-hk.syllix.io" }, { "id": "", "name": "https://freeapi.bot-t.com/" }, { "id": "", "name": "https://jvault.xyz" }, { "id": "", "name": "https://jambler.io" }, { "id": "", "name": "https://duda.com.ua/" }, { "id": "", "name": "https://eth0.me" }, { "id": "", "name": "https://exchange-pool.com/" }, { "id": "", "name": "https://bottap.ru/" }, { "id": "", "name": "https://botman.pro" }, { "id": "", "name": "https://btcbot.cc" }, { "id": "", "name": "https://app.tbiz.pro" }, { "id": "", "name": "http://stk-ms.ru" }, { "id": "", "name": "https://santasol.fun/" }, { "id": "", "name": "static.tgcube.store" }, { "id": "", "name": "mystars-hk.syllix.io" }, { "id": "", "name": "keys.neovpn.online" }, { "id": "", "name": "freeapi.bot-t.com" }, { "id": "", "name": "umbrella.day" }, { "id": "", "name": "steam-up.ru" }, { "id": "", "name": "santasol.fun" }, { "id": "", "name": "niolic.com" }, { "id": "", "name": "jvault.xyz" }, { "id": "", "name": "express12.com" }, { "id": "", "name": "exchange-pool.com" } ], "attack_patterns": [ { "id": "1e043fe4-2413-4b8e-887c-0fe45d095a24", "name": "T1583" }, { "id": "16e26db7-7376-40c1-b8a9-23d56c44f7ee", "name": "T1571" }, { "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7", "name": "T1016" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "d570881a-1f73-41ca-ad6c-fc29256c76f9", "name": "T1595" }, { "id": "53c193a7-f726-4bd2-ae88-4019e2604adf", "name": "T1046" }, { "id": "c340d47a-2ea8-41ca-9a0b-a72559b89bbf", "name": "T1584" }, { "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62", "name": "T1190" } ], "others": [ { "id": "", "name": "Russian Federation" } ] }, "external_refs": [ "https://isc.sans.edu/diary/rss/31502", "https://otx.alienvault.com/pulse/6756a9ce0dcbf9623754a54e" ] }