Information about "DigitalPlagiarist" campaign (mirroring legitimate sites)
We believe the "TelePort Crew" Threat Actor is operating out of Russia or Eastern Europe with the group's major motivations appearing to be financial in nature through cybercrime and/or corporate espionage.
Over the past few months, the tr1adx team has been tracking a Threat Actor which we codenamed "TelePort Crew".
We believe the "TelePort Crew" Threat Actor is operating out of Russia or Eastern Europe with the group's major motivations appearing to be financial in nature through cybercrime and/or corporate espionage.
We have dubbed the group's latest campaign "Digital Plagiarist" for its signature practice of mirroring legitimate sites (using Tenmax's TelePort Pro and TelePort Ultra site mirroring software) onto similarly named domains, on which the TelePort Crew would host and serve up malware laden Office documents.
The Threat Actor would then craft specific spear phishing emails to direct their targets to visit the malicious web sites and open the malware laden documents.
Corerrelation of the TelePort Crew's TTPs and infrastructure leads us to believe the group is closely affiliated with, and may in fact be, the Carbanak Threat Actor.