The cyber threat actor established Persistence [TA0003] and Command and Control [TA0011] on the victim network by (1) creating a persistent Secure Socket Shell (SSH) tunnel/reverse SOCKS proxy, (2) running inetinfo.exe (a unique, multi-stage malware used to drop files), and (3) setting up a locally mounted remote share on IP address 78.27.70[.]237 (Proxy [T1090]). The mounted file share allowed the actor to freely move during its operations while leaving fewer artifacts for forensic analysis.
Read full article on HackRead