The financially motivated threat actor known as UNC3944 is pivoting to ransomware deployment as part of an expansion to its monetization strategies, Mandiant has revealed.
“UNC3944 has demonstrated a stronger focus on stealing large amounts of sensitive data for extortion purposes and they appear to understand Western business practices, possibly due to the geographical composition of the group,” the threat intelligence firm said.
“UNC3944 has also consistently relied on publicly available tools and legitimate software in combination with malware available for purchase on underground forums.”
The group, also known by the names 0ktapus, Scatter Swine, and Scattered Spider, has been active since early 2022, adopting phone-based social engineering and SMS-based phishing to obtain employees’ valid credentials using bogus sign-in pages and infiltrate victim organizations, mirroring tactics adopted by another group called LAPSUS$.
While the group originally focused on telecom and business process outsourcing (BPO) companies, it has since expanded its targeting to include hospitality, retail, media and entertainment, and financial services, illustrative of the growing threat.
A key hallmark of the threat actors is that they are known to leverage a victim’s credentials to impersonate the employee on calls to the organization’s service desk in an attempt to obtain multi-factor authentication (MFA) codes and/or password resets.
It’s worth noting that Okta, earlier this month, warned customers of the same attacks, with the e-crime gang calling the victims’ IT help desks to trick support personnel into resetting the MFA codes for employees with high privileges, allowing them to gain access to those valuable accounts.
In one instance, an employee is said to have installed the RECORDSTEALER malware via a fake software download, which subsequently facilitated credential theft. The rogue sign-in pages, designed using phishing kits such as EIGHTBAIT and others, are capable of sending the captured credentials to an actor-controlled Telegram channel and deploying AnyDesk.
The adversary has also been observed using a variety of information stealers (e.g., Atomic, ULTRAKNOT or Meduza, and Vidar) abd credential theft tools (e.g., MicroBurst) to obtain the privileged access necessary to meet its goals and augment its operations.
Part of UNC3944’s activity includes the use of commercial residential proxy services to access their victims to evade detection and legitimate remote access software, as well as conducting extensive directory and network reconnaissance to help escalate privileges and maintain persistence.
Identity is the New Endpoint: Mastering SaaS Security in the Modern Age
Dive deep into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Discover why identity is the new endpoint. Secure your spot now.
Also noteworthy is its abuse of the victim organization’s cloud resources to host malicious utilities to disable firewall and security software and deliver them to other endpoints, underscoring the hacking group’s evolving tradecraft.
The latest findings come as the group has emerged as an affiliate for the BlackCat (aka ALPHV or Noberus) ransomware crew, taking advantage of its new-found status to breach MGM Resorts and distribute the file-encrypting malware.
“The threat actors operate with an extremely high operational tempo, accessing critical systems and exfiltrating large volumes of data over a course of a few days,” Mandiant pointed out.
“When deploying ransomware, the threat actors appear to specifically target business-critical virtual machines and other systems, likely in an attempt to maximize impact to the victim.”