Scattered Spider: The Modus Operandi

MITRE Techniques

• [T1566] Phishing – Social engineering via phone calls and text messages impersonating IT personnel to obtain credentials or direct victims to credential harvesting or RMM tools. ‘Initial access was via social engineering using phone calls and text messages to impersonate IT personnel, and either directing victims to a credential harvesting site or directing victims to run commercial Remote Monitoring and Management (RMM) tools.’
• [T1021.001] Remote Services – Use legitimate remote access tools (AnyDesk, LogMeIn, ConnectWise Control) to establish persistence and enable lateral movement. ‘establish persistence through legitimate remote access tools such as AnyDesk, LogMeIn, and ConnectWise Control.’
• [T1068] Exploitation for Privilege Escalation – CVE-2015-2291 exploited to deploy a malicious kernel driver. ‘exploited CVE-2015-2291 which is a vulnerability … to deploy a malicious kernel driver.’
• [T1134.001] Access Token Manipulation: Token Impersonation/Theft – Requesting and assuming permissions of an instance role using a compromised AWS token. ‘requesting and assuming the permissions of an instance role using a compromised AWS token.’
• [T1553.002] Subvert Trust Controls: Code Signing – Attestation signing to sign malware. ‘attestation signing to sign malware’
• [T1036] Masquerading – Signed POORTRY driver with Authenticode signature to masquerade as legitimate software. ‘signed POORTRY driver with a Microsoft Windows Hardware Compatibility Authenticode signature.’
• [T1041] Exfiltration Over C2 Channel – Data exfiltration over command-and-control channels. ‘Exfiltration Over C2 Channel’
• [T1195.002] Compromise Software Supply Chain – Attested/signed drivers used to aid post-exploitation.
• [T1616] Call Control – MITRE Mobile mapping indicates collection via Call Control. ‘COLLECTION’ → ‘T1616: Call Control’
• [T1451] Sim Card Swap – MITRE Mobile mapping indicates SIM card swapping as a collection method. ‘COLLECTION’ → ‘T1451: Sim Card Swap’