Full Report
The threat actor TRIPLESTRENGTH uses stolen credentials and cookies, partially sourced from Racoon infostealer logs, to gain unauthorized access to victim cloud environments. Initially, they exploited legitimate compromised accounts to create compute resources for cryptocurren...
Analysis Summary
# Tool/Technique: Racoon Stealer
## Overview
Racoon Stealer is an information stealer malware designed to harvest sensitive data, including credentials, cookies, and other session information, from compromised systems. TRIPLESTRENGTH is noted to source stolen credentials and cookies, partially from logs generated by this malware, to facilitate initial access to victim cloud environments.
## Technical Details
- Type: Malware family
- Platform: Windows (Implied, as it's an infostealer harvesting client-side data)
- Capabilities: Credential theft, cookie theft, session hijacking data exfiltration.
- First Seen: Information not available in the provided context.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1588.002 - Obtain Capabilities: Compromise Software Supply Chain (Source of stolen credentials used by the attacker group)
- TA0006 - Credential Access
- T1555 - Credentials from Password Stores
- T1555.003 - Credentials from Password Stores: Browser Session Cookie
## Functionality
### Core Capabilities
- Harvesting of user credentials and session cookies from various sources on the infected machine.
- Providing these stolen artifacts to threat actors for subsequent use in session hijacking or unauthorized access.
### Advanced Features
- The context specifically mentions the logs being sourced by TRIPLESTRENGTH, implying the stealer successfully gathered artifacts usable for cloud session hijacking (cookies).
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (Indicators relate to the malware's C2, not the victim stage)
- Behavioral Indicators: Execution leading to the exfiltration of local data stores (browsers, credential managers).
## Associated Threat Actors
- TRIPLESTRENGTH (Consumer of the collected data)
- Other threat actors who deploy Racoon Stealer.
## Detection Methods
- Signature-based detection for known Racoon Stealer binaries.
- Behavioral detection focusing on processes attempting to access browser databases, cookie stores, or credential management endpoints.
- YARA rules targeting known strings or structures within the Racoon Stealer payload.
## Mitigation Strategies
- Implement strong, multi-factor authentication (MFA) across all cloud environments.
- Use dedicated, hardened environments for cloud access, avoiding general-purpose workstations for administrative tasks.
- Regularly purge old session cookies and credentials stored locally.
- Deploy endpoint detection and response (EDR) solutions capable of detecting information stealer behaviors.
## Related Tools/Techniques
- Other information stealers (e.g., Vidar, RedLine).
- Techniques involving browser exploitation or credential harvesting.
***
# Tool/Technique: Phobos Ransomware
## Overview
Phobos is a known ransomware strain observed as part of the toolset used by TRIPLESTRENGTH affiliates. While the primary impact described is resource hijacking for crypto-mining, the inclusion of Phobos suggests potential overlap with or diversification into data encryption/extortion activities, or it may be used opportunistically.
## Technical Details
- Type: Malware family (Ransomware)
- Platform: Windows (Typically)
- Capabilities: File encryption, ransom demand presentation.
- First Seen: Information not available in the provided context.
## MITRE ATT&CK Mapping
- TA0011 - Collection (Potentially used to gather data before encryption)
- TA0040 - Impact
- T1486 - Data Encrypted for Impact
## Functionality
### Core Capabilities
- Encrypting files on accessible file systems of compromised hosts.
- Dropping ransom notes demanding payment for the decryption key.
### Advanced Features
- Not specifically detailed in the context of TRIPLESTRENGTH's cloud focus.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Known C2/drop zone infrastructure associated with Phobos operators.
- Behavioral Indicators: Process attempting widespread file manipulation with high entropy encryption routines.
## Associated Threat Actors
- TRIPLESTRENGTH (Observed use)
- Various unaffiliated ransomware groups.
## Detection Methods
- Signature matching against known Phobos file hashes or strings.
- Monitoring for rapid, widespread file renaming or locking activity on systems.
## Mitigation Strategies
- Regular, offline, and immutable backups (for recovery from encryption).
- Network segmentation to limit lateral movement risk if the ransomware spreads.
## Related Tools/Techniques
- LokiLocker (Also listed in the threat actor's observed tools).
***
# Tool/Technique: LokiLocker Ransomware
## Overview
LokiLocker is another ransomware variant noted in the observed techniques for TRIPLESTRENGTH. Similar to Phobos, its presence suggests the group has access to, or utilizes, ransomware tools, though their primary mining operation relied on stolen cloud access.
## Technical Details
- Type: Malware family (Ransomware)
- Platform: Windows (Typically)
- Capabilities: File encryption; LokiLocker is also known for an unusual trait of sometimes running multiple times with escalating demands.
- First Seen: Information not available in the provided context.
## MITRE ATT&CK Mapping
- TA0040 - Impact
- T1486 - Data Encrypted for Impact
## Functionality
### Core Capabilities
- Encrypting files on the compromised endpoint.
- Demanding a ransom payment.
### Advanced Features
- Not specifically detailed in the context of TRIPLESTRENGTH's cloud focus.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Processes exhibiting encryption patterns associated with LokiLocker.
## Associated Threat Actors
- TRIPLESTRENGTH (Observed use)
## Detection Methods
- Signature matching against known LokiLocker binaries.
- Monitoring for processes that rapidly encrypt large numbers of files.
## Mitigation Strategies
- Strong backup strategy.
- Application control to prevent execution of unknown binaries.
## Related Tools/Techniques
- Phobos (Also listed in the threat actor's observed tools).
***
# Tool/Technique: unMiner
## Overview
unMiner is a known cryptominer often deployed on compromised infrastructure. TRIPLESTRENGTH utilizes this tool, likely after gaining access to cloud resources via stolen credentials, to deploy extensive compute resources specifically for cryptocurrency mining operations.
## Technical Details
- Type: Malware (Cryptominer)
- Platform: Linux/Windows (Targets server OS common in cloud environments)
- Capabilities: Masquerades as a legitimate process while consuming CPU/GPU resources to mine cryptocurrency for the threat actor.
- First Seen: Information not available in the provided context.
## MITRE ATT&CK Mapping
- TA0004 - Privilege Escalation (Achieved by abusing billing privileges in the cloud)
- TA0011 - Collection (Resource Consumption/Impact)
- T1496 - Resource Hijacking (Specifically compute resources)
## Functionality
### Core Capabilities
- Establishing persistence on cloud virtual machines (VMs).
- Executing cryptocurrency mining operations using the victim's allocated computational power.
### Advanced Features
- The primary advancement here is the *application* within a privileged cloud context: leveraging stolen billing access to deploy *extensive* compute resources unchecked.
## Indicators of Compromise
- File Hashes: N/A
- File Names: Commonly file names that mimic system processes or unrelated legitimate tools.
- Registry Keys: N/A
- Network Indicators: Connections to known cryptomining pools (e.g., Monero, Ethereum pools).
- Behavioral Indicators: High, sustained CPU usage even when the application seems idle; network connections originating from internal cloud instances communicating outbound to mining pools.
## Associated Threat Actors
- TRIPLESTRENGTH (Primary user mentioned)
## Detection Methods
- Monitoring cloud provider billing alerts for unexpected spikes in compute usage (the key indicator for this group).
- Detection of known unMiner process command lines or associated C2 communication.
## Mitigation Strategies
- Implementing strict resource quotas and budget alerts on cloud accounts.
- Employing Zero Trust principles for resource access, even internally once access is achieved.
- Limiting the scope of privileges granted by compromised accounts.
## Related Tools/Techniques
- Other coinminers (e.g., XMRig).
***
# Technique: Credential Theft and Session Cookie Abuse (Enabling Initial Access)
## Overview
The cornerstone technique for TRIPLESTRENGTH's initial access involves stealing and abusing user session artifacts, specifically credentials and cookies harvested by malware like Racoon Stealer. These artifacts grant direct, authenticated access to cloud provider consoles (AWS, Google Cloud, Azure).
## Technical Details
- Type: Technique
- Platform: Client-side (Data collection); Cloud Platforms (AWS, GCP, Azure, etc. - Exploitation)
- Capabilities: Bypassing traditional login requiring only credentials, and sometimes bypassing MFA by using valid session cookies.
- First Seen: Ongoing.
## MITRE ATT&CK Mapping
- TA0006 - Credential Access
- T1555.003 - Credentials from Password Stores: Browser Session Cookie
- TA0001 - Initial Access
- T1078.004 - Valid Accounts: Cloud Accounts
## Functionality
### Core Capabilities
- Obtaining active session tokens/cookies that authenticate the user to cloud services.
- Using these tokens to log in as the legitimate user without needing to pass interactive authentication checks (like MFA).
### Advanced Features
- The ability to leverage these session tokens for detailed configuration access, moving directly into the resource deployment phase (T1496).
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Login attempts to cloud consoles originating from unexpected geographic locations or network ranges corresponding to the compromised collector machine.
- Behavioral Indicators: Successful logins without accompanying MFA prompts; rapid provisioning of new, expensive compute resources immediately following a session login.
## Associated Threat Actors
- TRIPLESTRENGTH
## Detection Methods
- Monitoring for session usage/changes consistent with session cookie re-use outside the normal operational context of the user.
- Implementing strong geographic or IP-based controls for cloud console access.
## Mitigation Strategies
- Enforce Hardware Security Keys/FIDO2 for MFA, as these are generally resilient to cookie-based session hijacking.
- Implement stricter session lifetime management in cloud consoles.
- Continuously monitor for known indicators of compromise linked to Racoon Stealer activity on endpoints.
## Related Tools/Techniques
- Credential stuffing.
- Session Hijacking.
***
# Technique: Billing Contact Abuse for Resource Scaling
## Overview
Once TRIPLESTRENGTH gains initial access, they apply a sophisticated procedure to scale their illicit cryptocurrency mining operation: they leverage highly privileged compromised accounts to invite attacker-controlled accounts as *billing contacts* on victim cloud projects. This grants the attacker-controlled identity the necessary financial privileges to deploy large, expensive compute resources without triggering alerts against the *initial* compromised primary account.
## Technical Details
- Type: Technique (Cloud/Account Manipulation)
- Platform: Google Cloud, AWS, Linode, Azure (Cloud Environments)
- Capabilities: Lateral movement into billing administration; unbounded resource provisioning capability through privilege escalation on the billing mechanism.
- First Seen: Observed evolution during the TRIPLESTRENGTH campaign.
## MITRE ATT&CK Mapping
- TA0004 - Privilege Escalation
- T1098.003 - Account Manipulation: External Account to Internal Account
- T1098 - Account Manipulation (Specifically modifying billing linkages)
- TA0003 - Persistence (Maintaining the ability to spin up resources over time)
## Functionality
### Core Capabilities
- Altering the financial liability structure of a cloud project to point to an attacker-controlled entity.
- Deploying large scale compute infrastructure (for mining).
### Advanced Features
- This technique effectively separates the initial access identity from the highly resource-intensive impact, obscuring the direct path of excessive billing back to the primary compromised user.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Rapid, uncharacteristic addition of highly privileged roles (like Billing Administrator) to new, suspicious external accounts, immediately followed by massive VM creation. Excessive compute usage alerts originating from newly added billing profiles.
## Associated Threat Actors
- TRIPLESTRENGTH
## Detection Methods
- Auditing changes to billing linkages and administrative roles within cloud environments.
- Establishing baseline norms for compute resource deployment frequency and size.
## Mitigation Strategies
- **Principle of Least Privilege:** Strictly limit which identities can modify billing contacts or administrative roles (limiting this capability to a very small subset of highly trusted administrators).
- Regularly audit IAM policies, especially those related to Billing Administrator roles.
- Implement mandatory cross-account checks or require secondary administrative approval for changes to billing linkages.
## Related Tools/Techniques
- Privilege Escalation via IAM misconfiguration.
- Supply Chain Compromise (as the initial access relies on stolen credentials).