← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
AMBERSQUID Cryptojacking Campaign Sets Sights on Unusual AWS Services
WHITE Superpro 2023-09-18 Modified: 2023-10-18
91
IOCs
HIGH VOLUME
A new cloud-native cryptojacking scheme has focused its attention on less common Amazon Web Services (AWS) services like AWS Amplify, AWS Fargate, and Amazon SageMaker for the unauthorized mining of cryptocurrency. Researchers have assigned the code name "AMBERSQUID" to the malicious cyber operations.
perlcode languageamplifydocker hubfargateambersquidaws amplifyindonesiangithub accountdockeraugustvirustotalglue
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (91)
All URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
URL http://74.50.74.27:4416 2023-09-18
domain user.email 2023-09-18
domain user.name 2023-09-18
hostname lt.epicmine.io 2023-09-18
hostname a.user.name 2023-09-18
hostname e.user.name 2023-09-18
hostname element.user.name 2023-09-18
hostname label.display.user.name 2023-09-18
hostname n.user.name 2023-09-18
hostname sftp.user.name 2023-09-18
hostname t.user.name 2023-09-18
hostname this.props.user.name 2023-09-18
URL http://a.user.name 2023-09-18
URL http://e.user.name 2023-09-18
URL http://element.user.name 2023-09-18
URL http://label.display.user.name 2023-09-18
URL http://n.user.name 2023-09-18
URL http://t.user.name 2023-09-18
URL http://this.props.user.name 2023-09-18
URL http://user.name/i 2023-09-18
URL https://a.user.name 2023-09-18
URL https://e.user.name 2023-09-18
URL https://element.user.name 2023-09-18
URL https://label.display.user.name 2023-09-18
URL https://n.user.name 2023-09-18
URL https://sftp.user.name 2023-09-18
URL https://sftp.user.name/ 2023-09-18
URL https://t.user.name 2023-09-18
URL https://this.props.user.name 2023-09-18
hostname auth.user.email 2023-09-18
hostname context.user.email 2023-09-18
hostname f.user.email 2023-09-18
hostname git.build.user.email 2023-09-18
hostname invoice.user.email 2023-09-18
hostname models.user.email 2023-09-18
hostname seller.user.email 2023-09-18
hostname session.user.email 2023-09-18
hostname this.state.user.email 2023-09-18
hostname vpn.user.email 2023-09-18
URL http://auth.user.email 2023-09-18
URL http://context.user.email 2023-09-18
URL http://f.user.email 2023-09-18
URL http://git.build.user.email 2023-09-18
URL http://invoice.user.email 2023-09-18
URL http://models.user.email 2023-09-18
URL http://seller.user.email 2023-09-18
URL http://session.user.email 2023-09-18
URL http://this.state.user.email 2023-09-18
URL http://vpn.user.email 2023-09-18
URL https://auth.user.email 2023-09-18
URL https://context.user.email 2023-09-18
URL https://f.user.email 2023-09-18
URL https://git.build.user.email 2023-09-18
URL https://invoice.user.email 2023-09-18
URL http://amplify-role.sh 2023-09-18
URL http://code.sh 2023-09-18
URL http://delete.sh 2023-09-18
URL http://ecs.sh 2023-09-18
URL http://entrypoint.sh 2023-09-18
URL https://git-codecommit.ap-south-1.amazonaws.com/v1/repos/test 2023-09-18
URL https://hub.docker.com/u/avriliahasanah 2023-09-18
URL https://hub.docker.com/u/buenosjiji 2023-09-18
URL https://hub.docker.com/u/buenosjiji662 2023-09-18
URL https://hub.docker.com/u/delbidaluan 2023-09-18
URL https://hub.docker.com/u/dellaagustin582 2023-09-18
URL https://hub.docker.com/u/jotishoop 2023-09-18
URL https://hub.docker.com/u/krisyantii20 2023-09-18
URL https://hub.docker.com/u/nainasachie 2023-09-18
URL https://hub.docker.com/u/rahmadabdu0 2023-09-18
URL https://hub.docker.com/u/rizal91 2023-09-18
URL https://hub.docker.com/u/robinrobby754 2023-09-18
URL https://hub.docker.com/u/tegarhuta 2023-09-18
URL https://master.d19tgz4vpyd5.amplifyapp.com/ 2023-09-18
URL http://jalan.sh 2023-09-18
URL http://note.sh 2023-09-18
URL http://repo.sh 2023-09-18
URL http://restart.sh 2023-09-18
URL http://salah.sh 2023-09-18
URL http://scale.sh 2023-09-18
URL http://stoptrigger.sh 2023-09-18
URL http://sup0.sh 2023-09-18
URL http://ulang.sh 2023-09-18
URL http://update.sh 2023-09-18
domain index.py 2023-09-18
domain test.zip 2023-09-18
hostname amplify.amazonaws.com 2023-09-18
hostname ecs-tasks.amazonaws.com 2023-09-18
hostname git-codecommit.ap-south-1.amazonaws.com 2023-09-18
hostname hub.docker.com 2023-09-18
hostname master.d19tgz4vpyd5.amplifyapp.com 2023-09-18
hostname sagemaker.amazonaws.com 2023-09-18
References (1)
↗ https://sysdig.com/blog/ambersquid/