Security News > 2021 > June > Indexsinas SMB Worm Campaign Infests Whole Enterprises

The Indexsinas SMB worm is on the hunt for vulnerable environments to self-propagate into, researchers warned - with a particular focus on the healthcare, hospitality, education and telecommunications sectors.

Since 2019, Indexsinas has used a large infrastructure made up of more than 1,300 devices acting as attack sources, with each device responsible for only a few attack incidents each.

"The Indexsinas attackers are careful and calculated," according to the firm.

"The campaign has been running for years with the same command-and-control domain, hosted in South Korea. The C2 server is highly protected, patched and exposes no redundant ports to the internet. The attackers use a private mining pool for their cryptomining operations, which prevents anyone from accessing their wallets' statistics."

The writeup added, "The attack flow consists of many batch scripts, executable payloads, downloaders, services and scheduled tasks. A prominent characteristic of the campaign is its competitiveness; it terminates processes related to other attack campaigns, deletes their file system residues and stops services created by other attack groups. It also attempts to evade detection by killing programs related to process monitoring and analysis. In addition, it makes sure to delete its own files immediately after execution."

"There are more than 1 million SMB servers accessible to anyone on the internet, and many of them still vulnerable to MS-17010; this is exactly what makes Indexsinas and similar attack campaigns profitable."

News URL

https://threatpost.com/indexsinas-smb-worm-enterprises/167455/