Threat Research

Dark Web Profile: Scattered Spider – SOCRadar® Cyber Intelligence Inc.

SocRadar

The article profiles the Scattered Spider group, detailing its many aliases and its transition from phishing-based intrusions to ransomware and RaaS affiliations, including high-profile breaches at MGM Resorts, Caesars Entertainment, and Riot Games. It also discusses law-enforcement challenges and practical security recommendations to counter this global, evolving threat. #ScatteredSpider #MGMResorts #CaesarsEntertainment #RaaS #BlackCat #ALPHV

Keypoints

  • Scattered Spider operates under many aliases (e.g., Muddled Libra, UNC3944, Starfraud, Octo Tempest) and has conducted high-profile intrusions across several industries.
  • The group evolved from phishing kits to affiliating with Ransomware-as-a-Service (RaaS) providers and has been linked to BlackCat/ALPHV usage.
  • Notable attacks include MGM Resorts, Caesars Entertainment, Riot Games, and other targets like MailChimp, Twilio, and DoorDash, illustrating a broad global footprint.
  • Their modus operandi combines social-engineering, credential theft, domain creation for phishing, social media deception, and cloud-skewed lateral movement, with attempts to bypass MFA and persist in networks.
  • MITRE-aligned TTPs cover phishing, credential access, privilege escalation, domain policy modification, and data exfiltration, including encryption of VMware ESXi servers with BlackCat.
  • Defensive guidance emphasizes stronger MFA, phishing-resistant controls, regular patching, employee training, and robust incident response planning.
  • SOCRadar and cybersecurity experts stress the difficulty of attributing activities to a single actor due to the group’s evolving aliases and techniques.

MITRE Techniques

  • [T1589] Gather Victim Identity Information – “Threat actors gather usernames, passwords, and PII for targeted organizations.”
  • [T1566] Phishing – “Threat actors use phishing to obtain login credentials, gaining access to a victim’s network.”
  • [T1583.001] Acquire Infrastructure: Domains – “Threat actors create domains for use in phishing and smishing attempts against targeted organizations.”
  • [T1136.003] Establish Accounts: Social Media Accounts – “Threat actors create fake social media profiles to backstop newly created user accounts in a targeted organization.”
  • [T1566] Phishing (Mobile) – “Threat actors send SMS messages, known as smishing, when targeting a victim.”
  • [T1566] Phishing: Voice/Spearphishing Voice – “Threat actors use voice communications to convince IT help desk personnel to reset passwords and/or MFA tokens.”
  • [T1199] Trusted Relationship – “Threat actors abuse trusted relationships of contracted IT help desks to gain access to targeted organizations.”
  • [T1078] Valid Accounts – “Threat actors obtain access to valid domain accounts to gain initial access to a targeted organization.”
  • [T1204] User Execution – “Threat actors impersonating helpdesk personnel direct employees to run commercial remote access tools, enabling access to the victim’s network.”
  • [T1556] Modify Authentication: MFA – “Threat actors may modify MFA tokens to gain access to a victim’s network.”
  • [T1555] Credentials in Files / Credentials from Password Stores – “Threat actors use tools, such as Raccoon Stealer, to obtain login credentials.”
  • [T1018] Remote System Discovery – “Threat actors search for remote systems to exploit.”
  • [T1021.004] Lateral Movement: Cloud Services – “Threat actors use pre-existing cloud instances for lateral movement and data collection.”
  • [T1005] Data from Information Repositories: Code Repositories / SharePoint – “Threat actors search code repositories for data collection and exfiltration.”
  • [T1041] Exfiltration Over Web Service – “Threat actors exfiltrate data to multiple sites, including U.S.-based data centers and MEGA.nz.”
  • [T1048] Exfiltration: Exfiltration to Cloud Storage – “Exfiltrate data to cloud storage.”
  • [T1027] Exfiltration: Data Encrypted for Impact – “Data encryption with BlackCat ransomware, including VMware ESXi servers.”

Indicators of Compromise

  • [IOC Type] CVEs – 2015-2291, 2021-35464, 2022-41328
  • [IOC Type] Malware/Tools – Raccoon Stealer, VIDAR Stealer, BlackCat Ransomware, Fleetdeck.io, Level.io, Mimikatz, Ngrok, Pulseway, ScreenConnect, Splashtop, Tactical.RMM, Tailscale, TeamViewer, AveMaria
  • [IOC Type] Cloud/Remote Access Tools – Ngrok, TeamViewer, ScreenConnect, SplasTop, Pulseway, Tailscale
  • [IOC Type] Exfiltration/Storage – MEGA.nz (and other cloud storage destinations)
  • [IOC Type] Targeted Organizations – MGM Resorts, Caesars Entertainment, Riot Games, MailChimp, Twilio, DoorDash
  • [IOC Type] Cloud Service/Infrastructure – AWS Systems Manager Inventory

Read more: https://socradar.io/dark-web-profile-scattered-spider/