Source: www.proofpoint.com – Author:
(Adobe Stock)
Aside from utilizing REM proxy services to relay traffic to new freemail accounts, both TA829 also known as Nebulous Mantis, Storm-0978, and UNC2596 and UNK_GreenSec have established SSH tunnels through Putty’s PLINK utility, while using IPFS services for utility hosting, according to a Proofpoint report. While TA829’s intrusions resulted in the deployment of the MeltingClaw or RustyClaw downloaders that deliver the ShadyHammock, DustyHammock, and SingleCamper backdoors, attacks by UNK_GreenSec led to the spread of the TransferLoader malware, which later launches the Morpheus and Metasploit ransomware strains. Such similarities have prompted researchers to suspect that both threat groups are either using the same third-party infrastructure provider or are the same hacking operation. “In the current threat landscape, the points at which cybercrime and espionage activity overlap continue to increase, removing the distinctive barriers that separate criminal and state actors,” said Proofpoint researchers.
Related
Get daily email updates
SC Media’s daily must-read of the most current and pressing daily news
Original Post URL: https://www.proofpoint.com/us/newsroom/news/ta829-unkgreensec-malware-campaigns-underpinned-same-infrastructure
Category & Tags: –
Views: 1
