- Security researchers have spotted a new threat actor called triplength
- The group engages in ransomware, a cloud compromise and cryptomage
- There are potentially hundreds of victims
A small and relatively unknown piracy group began to draw attention to itself by engaging in somewhat unusual “triple” cyber attacks.
Google researchers have recently discovered Triplength, perhaps a small threat actor with only a handful of individuals, which has existed since 2020, although Google researchers have been following him since 2023.
What distinguishes this group is the fact that in addition to ransomware, it also diverts victim cloud accounts and uses them to deploy cryptomins. The group began with ransomware in 2020 and added the crypto-minion part two years later.
Brute force
For ransomware, explains Google in addition, the group mainly targets on -site systems. For cryptomage, it targets the cloud infrastructure of Google Cloud, AWS, Microsoft Azure, Linode, etc.
Triplength does not seem to be sponsored by the state and seems rather to be motivated by pure profit – seeking to earn money both ransom payments and unauthorized cloud computing.
Initial access is mainly through brute force attacks on remote office servers or via stolen identification information. Once the ending points are compromised, Triplength deploys malware, including Phobos, Lokilocker, RCRU64 or Infostealer. For cryptomage, the group mainly uses a mine. Interestingly, there was no mention of Xmrig, by far the most popular cryptojacker.
Talk to The registerThe researchers did not mean exactly how many triplength victims have struck in the past four years, but they have stressed that they have “identified many trx cryptocurrency addresses which, in our view, are associated with the tripletrrength”.
“And in the last count, which is now exceeded for months, there were more than 600 payments to these addresses,” they told the publication. “This gives you at least one idea of the volume of the mining activity they are probably carrying out.”
In other words, there are hundreds of compromised cloud instances, and therefore perhaps also hundreds of ransomware victims.
Via The register
