A small, little-known hacker collective has begun attracting attention by launching somewhat out-of-character “triple threat” cyberattacks. Although Google researchers have been monitoring Triplestrength since 2023, they recently discovered that it may be a small threat actor with only a few members that have been active since 2020.
The unique feature of this group is that, in addition to ransomware, it also uses cloud account hijacking to install cryptominers. In 2020, the group began working on ransomware, and two years later, they added crypto-mining to their operations.
For ransomware, Google further explains that the group mostly targets on-premise systems. It also targets cloud infrastructure from AWS, Microsoft Azure, Linode, Google Cloud, and others for cryptomining.
Google’s threat intelligence group has been tracking Triplestrength since 2023 and only recently began discussing this financially motivated criminal crew.
“The group is probably focused around a handful of individuals,” Genevieve Stark, head of cybercrime, hacktivism, and information operations intelligence analysis for the Google Threat Intelligence Group, told The Register.
Triplestrength appears to be driven solely by profit, seeking to profit from both illegal cloud computing and ransom payments, rather than being state-sponsored. Brute-force attacks on remote desktop servers or credentials that have been stolen are typically used to gain initial access.
After the target endpoints have been compromised, Triplestrength deploys malware such as Phobos, LokiLocker, RCRU64, or Raccoon Infostealer. The group primarily uses unMiner for cryptomining. It’s interesting to note that XMRig, the most well-known cryptojacker, was not mentioned.
In an interview with The Register, the researchers stressed that they “identified numerous TRX cryptocurrency addresses that we believe are associated with Triplestrength,” but they did not specify the precise number of victims Triplestrength had harmed over the previous four years.
“And there were over 600 payments to these addresses at the last count, which is now months old,” they informed the media.
This at least helps gauge the amount of mining activity they are likely carrying out. This means that hundreds of cloud instances have been compromised, suggesting that hundreds of ransomware victims may also be affected.
Meanwhile, a widespread phishing campaign has been observed leveraging bogus PDF documents hosted on the Webflow content delivery network (CDN) with the aim of stealing credit card information and committing financial fraud.