Financially Motivated UNC3944 Threat Actor Shifts Focus to Ransomware Attacks
The financially motivated threat actor known as UNC3944 is pivoting to ransomware deployment as part of an expansion to its monetization strategies, Mandiant has revealed.
"UNC3944 has demonstrated a stronger focus on stealing large amounts of sensitive data for extortion purposes and they appear to understand Western business practices, possibly due to the geographical composition of the group," the threat intelligence firm said.
"UNC3944 has also consistently relied on publicly available tools and legitimate software in combination with malware available for purchase on underground forums."
The group, also known by the names 0ktapus, Scatter Swine, and Scattered Spider, has been active since early 2022, adopting phone-based social engineering and SMS-based phishing to obtain employees' valid credentials using bogus sign-in pages and infiltrate victim organizations, mirroring tactics adopted by another group called LAPSUS$.
While the group originally focused on telecom and business process outsourcing (BPO) companies, it has since expanded its targeting to include hospitality, retail, media and entertainment, and financial services, illustrative of the growing threat.
A key hallmark of the threat actors is that they are known to leverage a victim's credentials to impersonate the employee on calls to the organization's service desk in an attempt to obtain multi-factor authentication (MFA) codes and/or password resets.
It's worth noting that Okta, earlier this month, warned customers of the same attacks, with the e-crime gang calling the victims' IT help desks to trick support personnel into resetting the MFA codes for employees with high privileges, allowing them to gain access to those valuable accounts.
In one instance, an employee is said to have installed the RECORDSTEALER malware via a fake software download, which subsequently facilitated credential theft. The rogue sign-in pages, designed using phishing kits such as EIGHTBAIT and others, are capable of sending the captured credentials to an actor-controlled Telegram channel and deploying AnyDesk.
The adversary has also been observed using a variety of information stealers (e.g., Atomic, ULTRAKNOT or Meduza, and Vidar) and credential theft tools (e.g., MicroBurst) to obtain the privileged access necessary to meet its goals and augment its operations.
Part of UNC3944's activity includes the use of commercial residential proxy services to access their victims to evade detection and legitimate remote access software, as well as conducting extensive directory and network reconnaissance to help escalate privileges and maintain persistence.
Also noteworthy is its abuse of the victim organization's cloud resources to host malicious utilities to disable firewall and security software and deliver them to other endpoints, underscoring the hacking group's evolving tradecraft.
The latest findings come as the group is suspected to have emerged as an affiliate for the BlackCat (aka ALPHV or Noberus) ransomware crew, taking advantage of its new-found status to breach MGM Resorts and distribute the file-encrypting malware.
However, the BlackCat ransomware group has since called out media outlets for "falsely reporting events that never happened" and that it "did not attempt to tamper with MGM's slot machines to spit out money." It also labeled reports about "teenagers" from the U.S. and U.K. breaking into MGM Resorts as "rumors."
"The threat actors operate with an extremely high operational tempo, accessing critical systems and exfiltrating large volumes of data over a course of a few days," Mandiant pointed out.
"When deploying ransomware, the threat actors appear to specifically target business-critical virtual machines and other systems, likely in an attempt to maximize impact to the victim."
(The story has been updated after publication to include a statement shared by BlackCat on its dark web portal disputing claims of the attack on MGM Resorts.)