The "Digital Plagiarist" campaign, dubbed by researchers at the tr1adx team, was run by the "TelePort Crew” and appears to be an evolution of the Carbanak cybercrime group. This group is infamous for a large-scale campaign against banks, leading to the 2015 theft of hundreds of millions of dollars and the Carbanak/Anunak malware that targets point of sale machines.

The Digital Plagiarist campaign targeted a wide range of industries across the world, including restaurant chains, governments and software development companies. Spear phishing emails were sent to these targets, using domains that closely mimicked the target organization itself or companies the target frequently interacted with. Once a spoofed domain was created, the TelePort software was used to copy the contents of the legitimate domain onto the fake one.

These illegitimate domains were used to host Microsoft Word documents that contained embedded macros, which eventually downloaded Carbanak/Anunak malware onto the victim’s computer.

ThreatSTOP customers are protected from the Carbanak/Anunak if they have the TSCrit targets enabled in their policy.