The threat mentioned in the subject, is hitting a lot of VPS on intel x64 systems right now, I received many reports too, so it is necessary to write much details to help IR and Admins dealing with these incidents. I wrote report for incident handling purpose in bwlow Imgur, for they contain many artifacts that can be useful for your incident case, many pictures you can use as reference for handling this infection.
The report URL:
https://imgur.com/a/H7YuWuj
Sample of incident:
https://community.atlassian.com/t5/C.../qaq-p/1054605
The adversary is calling themselves as "SystemTen" (systemten[.]org) originated from China (PRC) mainland region. Previously they allegedly use name of "rocke" (I wasn't on that cases so you just have to rely on some internet reports about previous incidents).
"SystemTen" is using below infrastructure as their C2 and miner:
PHP Code:
systemten[.]org:8080
systemten[.]org:51640
Their previous attack has been detected coming from below IP addresses:
PHP Code:
134.209.104.20 | AS14061 | 134.209.96.0/20 | DIGITALOCEAN-ASN | US | DigitalOcean, LLC, US
185.193.125.146 | AS37560 | 185.193.125.0/24 | CYBERDYNE, | LR | LR
104.31.92.233 | AS13335 | 104.31.80.0/20 | CLOUDFLARENET | US | Cloudflare, Inc., US
Their servers is registered in the below name servers:
PHP Code:
systemten.org. NS 1-you.njalla.no.
systemten.org. NS 2-can.njalla.in.
systemten.org. NS 3-get.njalla.fo.
systemten.org. NS gail.ns.cloudflare.com.
systemten.org. NS karl.ns.cloudflare.com.
Their downloader is served under these two domain name on also CloudFlare:
PHP Code:
ooxx.ooo | 104.18.38.218 104.18.39.218 | AS13335 | 104.18.32.0/20 | CLOUDFLARENET | US | Cloudflare, Inc., US
z9ls.com | 104.31.81.164 104.31.80.164 | AS13335 | 104.31.80.0/20 | CLOUDFLARENET | US | Cloudflare, Inc., US
Above data is important for the mitigation of the threat. Thank you - malwaremustdie.org