The Greenbug espionage group is actively targeting telecommunications companies in South Asia, with activity seen as recently as April 2020.
There are indications that at least one of the companies was first targeted as early as April 2019.
Email appears to be the initial infection vector used by the group. Greenbug is using a mixture of off-the-shelf tools and living-off-the-land techniques in these attacks. It appears the group is interested in gaining access to database servers; we see it stealing credentials then testing connectivity to these servers using the stolen credentials.
Greenbug is believed to likely be based out of Iran, and there has been speculation in the past that it has connections to the destructive Shamoon group, which has carried out disk-wiping attacks against organizations in Saudi Arabia. The Shamoon attacks have been extensively covered, but it was never clear how the attackers stole the credentials that allowed them to introduce their destructive malware onto victim systems. Research by Symantec in 2017 found evidence that Greenbug was on an organization’s network prior to a wiping attack that involved W32.Disttrack.B (Shamoon’s malware). This link was never definitively established, but cooperation between the two groups is considered a possibility.
Much of the activity we saw in this attack campaign is in line with activity we have seen from Greenbug in the past, including the use of email as an initial infection vector, the use of publicly available hack tools like Mimikatz and Plink, and the apparent focus on collecting credentials and maintaining a persistent, low-profile presence on victim networks.
Infection vector ..
Support the originator by clicking the read the rest link below.
