RattyRAT and other surprises

Historically, Scattered Spider attacks have started with broad phishing and smishing attempts originating from maliciously-crafted, victim-specific domains.

This continues to be the case, with some minor variants – new domains observed by the FBI of late have included targets name-cms[.]com, targets name-helpdesk[.]com, and oktalogin-targets name[.]com. Scattered Spider has frequently leveraged Okta’s branding in its attacks in the past (one of its other aliases is 0ktapus) and its unrequited love affair with the identity services specialist continues.

The current wave of attacks is also employing more targeted and multilayered spear phishing and vishing into its playbook, often incorporating legitimate b2b websites to gather information to enrich their attempts and make them seem more convincing.

Scattered Spider also now appears to be refining its social engineering nous, and has recently been observed posing as victim employees to convince IT or helpdesk staff to provide credential information, run rests, and transfer multifactor authentication (MFA) to devices they control.

Access established, Scattered Spider has also added a number of new legitimate remote access tunneling tools to its roster of technical expertise. In addition to the likes of Screenconnect and TeamViewer, it is now using AnyDesk to enable remote access to network devices and Teleport.sh and  to enable remote access to local systems.

The advisory further details a new Java-based remote access trojan dubbed RattyRAT, which Scattered Spider is using to establish persistent and stealthy access and perform internal recon activities within its victims’ infrastructure. The gang is also keeping a close lookout for signs that it has been detected, and besides monitoring internal applications such as Microsoft Teams and Slack, is now making its activity seem more convincing by creating new identities upheld by sock puppet social media profiles.

The advisory also notes the gang’s by now well-observed affiliation with DragonForce ransomware for data encryption and extortion, and is increasingly targeting VMware ESXi servers in this. When it exfiltrates data in its ransomware attacks – it now also appears to be seeking its victims’ Snowflake access in order to steal more data quicker – it uses multiple sites including MEGA and US-based datacentres including Amazon’s, and uses TOR, Tox, email, and encrypted applications to communicate with its victims.

The full updated advisory contains a wealth of additional information including MITRE ATT&CK tactics and techniques and mitigation advice.

It also calls on victims to report incidents to the authorities, subject to local legal requirements, and reiterates guidance not to pay ransoms for encrypted data.

Takeaways for security leaders

Nick Tausek, lead security automation architect at Swimlane, an AI security platform provider, said two major points stood out from the updated advisory.

“First, Scattered Spider’s ability to exfiltrate large amounts of data should raise a lot of red flags. Access to an organisation’s Snowflake allows the group to run thousands of queries immediately and simultaneously, often deploying Dragonforce malware to encrypt target organisations’ servers. The potential for vast amounts of stolen data explains why they’ve been successful across multiple industries, from insurance to transportation to retail,” he said.

“However, what might be even more disturbing is the diligence exhibited by the group. Entering incident remediation and response calls undetected in order to identify how security teams are adapting to their attacks is a clever strategy to remain ahead. Listening in on these calls gives them access to information like how they’re being hunted, and what adjustments security teams will make to prevent future attacks.

“Organisations should administer application controls that can prevent remote access authorisation, such as virtual private networks or virtual desktop interfaces. Additionally, organisations should severely limit the use of Remote Desktop Protocol (RDP), and implement recovery plans, such as offline backups of data, in the event that ransomware does breach their security defence,” said Tausek.