Keypoints
- Muddled Libra leverages the 0ktapus phishing kit and targeted smishing to harvest credentials and MFA codes via mobile authentication pages.
- The group routinely uses social engineering against help‑desk agents to reset passwords and enroll attacker-controlled MFA devices.
- For persistence they install multiple legitimate RMM/remote‑access tools (AnyDesk, TeamViewer, Zoho Assist, ManageEngine, etc.) and deploy unmanaged cloud VMs.
- Credential access is achieved with tools like Mimikatz, ProcDump, DCSync, Raccoon Stealer, and memory forensics utilities (MAGNET RAM Capture, Volatility).
- Defense evasion includes disabling AV/EDR, creating exclusions, reusing existing AD accounts, operating within EDR consoles, and hiding behind VPNs/residential proxies.
- Lateral movement favors RDP from compromised hosts and the use of administrative tooling (PsExec, Impacket, VMware PowerCLI) for execution and pivoting.
- Data collection and exfiltration use Snaffler and native search plus archiving (WinRAR/PeaZip) and transfer via public services (put.io, transfer.sh, gofile[.]io, wasabi[.]com).
MITRE Techniques
- [T1566] Phishing – used via smishing and the 0ktapus kit to emulate mobile authentication pages and harvest credentials (‘…emulate mobile authentication pages…’).
- [T1078] Valid Accounts – adversaries re-enabled and used existing Active Directory accounts and help‑desk resets to access environments (‘…re-enabled and used existing Active Directory accounts…’).
- [T1090] Proxy – heavy use of anonymizing VPNs and rotating residential proxy services to obscure operator location and blend with legitimate traffic (‘…Heavy use of anonymizing proxy services’).
- [T1021.001] Remote Services (RDP) – lateral movement primarily via RDP connections from compromised hosts to minimize external network artifacts (‘…preferred using remote desktop protocol (RDP) connections…’).
- [T1003] OS Credential Dumping – credential harvesting and elevation using Mimikatz, ProcDump, DCSync and memory‑searching for credentials (‘…included Mimikatz, ProcDump, DCSync…’ ).
- [T1562] Impair Defenses – disabling antivirus/firewalls, creating defender exclusions, and uninstalling/deactivating EDR and monitoring products (‘…Disabling antivirus and host-based firewalls’).
- [T1098] Account Manipulation – social engineering help desk to enroll attacker-controlled MFA devices and bypass MFA protections (‘…request to enroll a new, attacker-controlled MFA authentication device.’).
- [T1567] Exfiltration Over Web Service – use of public file-transfer and cloud services (put[.]io, transfer[.]sh, gofile[.]io, wasabi[.]com) and tunneling for data exfiltration (‘…used common file transfer sites such as put[.]io, transfer[.]sh… to both exfiltrate data…’).
Indicators of Compromise
- [IP Address] Observed C2 and hosting infrastructure – 104.247.82[.]11, 159.223.208[.]47, and 25 more IPs
- [Domains / Web Services] Exfiltration and tooling download sites – put[.]io, transfer[.]sh, and 2 more domains (wasabi[.]com, gofile[.]io)
- [Malicious/Tooling Names] Phishing kit and rootkit references used in incidents – 0ktapus, bdvl (bedevil rootkit), and other tools like Snaffler
- [Hosting/Registrar Patterns] Lookalike phishing domains registered via Porkbun/Namecheap and hosted on DigitalOcean/CDN infrastructure – short‑lived domains used in smishing campaigns
Muddled Libra’s technical procedure begins with targeted reconnaissance and resource setup: they harvest employee contact lists and credentials from prior breaches or data brokers, register short‑lived lookalike domains (often via Porkbun/Namecheap and hosted on DigitalOcean or behind CDNs), and deploy the 0ktapus phishing kit to present realistic mobile authentication pages for smishing campaigns. Initial access is commonly achieved either by smishing (credential and MFA capture) or direct, voice‑based social engineering of help‑desk agents to reset credentials or enroll attacker‑controlled MFA devices.
After access, the group prioritizes persistence and stealth by installing multiple legitimate RMM tools (Zoho Assist, AnyDesk, TeamViewer, ManageEngine, etc.), standing up unmanaged cloud VMs, and reusing valid AD accounts. They escalate privileges and harvest credentials using Mimikatz, ProcDump, DCSync, RedLine/Raccoon stealers, and memory‑forensics tools; they perform discovery with SharpHound, ADRecon, Angry IP/Port scanners, and VMware PowerCLI. Defense evasion techniques include disabling AV/EDR, creating exclusions, operating in EDR consoles to clear alerts, and routing activity through commercial VPNs and rotating residential proxies.
For lateral movement and execution they prefer RDP from compromised hosts and use PsExec, Impacket, and native systems‑management tooling to run code. Data collection leverages Snaffler and targeted keyword searches across Confluence, SharePoint, code repositories, and ticketing systems; stolen files are archived (WinRAR/PeaZip) and exfiltrated via SSH tunnels, reverse proxies, or public file‑transfer services (put[.]io, transfer[.]sh, gofile[.]io, wasabi[.]com). Detection priorities should include monitoring for unusual RMM installs, repeated MFA failures or enrollment requests, credential dumping tool execution, and connections to known proxy/VPN endpoints.
Read more: https://unit42.paloaltonetworks.com/muddled-libra/