← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
AMBERSQUID Cryptojacking Campaign Sets Sights on Unusual AWS Services
WHITE Superpro 2023-09-18 Modified: 2023-10-18
91
IOCs
HIGH VOLUME
A new cloud-native cryptojacking scheme has focused its attention on less common Amazon Web Services (AWS) services like AWS Amplify, AWS Fargate, and Amazon SageMaker for the unauthorized mining of cryptocurrency. Researchers have assigned the code name "AMBERSQUID" to the malicious cyber operations.
perlcode languageamplifydocker hubfargateambersquidaws amplifyindonesiangithub accountdockeraugustvirustotalglue
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (62 / 91 total)
All URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
URL http://74.50.74.27:4416 2023-09-18
URL http://a.user.name 2023-09-18
URL http://e.user.name 2023-09-18
URL http://element.user.name 2023-09-18
URL http://label.display.user.name 2023-09-18
URL http://n.user.name 2023-09-18
URL http://t.user.name 2023-09-18
URL http://this.props.user.name 2023-09-18
URL http://user.name/i 2023-09-18
URL https://a.user.name 2023-09-18
URL https://e.user.name 2023-09-18
URL https://element.user.name 2023-09-18
URL https://label.display.user.name 2023-09-18
URL https://n.user.name 2023-09-18
URL https://sftp.user.name 2023-09-18
URL https://sftp.user.name/ 2023-09-18
URL https://t.user.name 2023-09-18
URL https://this.props.user.name 2023-09-18
URL http://auth.user.email 2023-09-18
URL http://context.user.email 2023-09-18
URL http://f.user.email 2023-09-18
URL http://git.build.user.email 2023-09-18
URL http://invoice.user.email 2023-09-18
URL http://models.user.email 2023-09-18
URL http://seller.user.email 2023-09-18
URL http://session.user.email 2023-09-18
URL http://this.state.user.email 2023-09-18
URL http://vpn.user.email 2023-09-18
URL https://auth.user.email 2023-09-18
URL https://context.user.email 2023-09-18
URL https://f.user.email 2023-09-18
URL https://git.build.user.email 2023-09-18
URL https://invoice.user.email 2023-09-18
URL http://amplify-role.sh 2023-09-18
URL http://code.sh 2023-09-18
URL http://delete.sh 2023-09-18
URL http://ecs.sh 2023-09-18
URL http://entrypoint.sh 2023-09-18
URL https://git-codecommit.ap-south-1.amazonaws.com/v1/repos/test 2023-09-18
URL https://hub.docker.com/u/avriliahasanah 2023-09-18
URL https://hub.docker.com/u/buenosjiji 2023-09-18
URL https://hub.docker.com/u/buenosjiji662 2023-09-18
URL https://hub.docker.com/u/delbidaluan 2023-09-18
URL https://hub.docker.com/u/dellaagustin582 2023-09-18
URL https://hub.docker.com/u/jotishoop 2023-09-18
URL https://hub.docker.com/u/krisyantii20 2023-09-18
URL https://hub.docker.com/u/nainasachie 2023-09-18
URL https://hub.docker.com/u/rahmadabdu0 2023-09-18
URL https://hub.docker.com/u/rizal91 2023-09-18
URL https://hub.docker.com/u/robinrobby754 2023-09-18
URL https://hub.docker.com/u/tegarhuta 2023-09-18
URL https://master.d19tgz4vpyd5.amplifyapp.com/ 2023-09-18
URL http://jalan.sh 2023-09-18
URL http://note.sh 2023-09-18
URL http://repo.sh 2023-09-18
URL http://restart.sh 2023-09-18
URL http://salah.sh 2023-09-18
URL http://scale.sh 2023-09-18
URL http://stoptrigger.sh 2023-09-18
URL http://sup0.sh 2023-09-18
URL http://ulang.sh 2023-09-18
URL http://update.sh 2023-09-18
References (1)
↗ https://sysdig.com/blog/ambersquid/