CTI Roundup: HTTP Headers Phishing Technique, Scattered Spider Back in the News, and UNC2970 Targets Job Seekers

In this week’s roundup, CTI looks at an ongoing phishing campaign that abuses refresh entries in HTTP headers. Next up, CTI provides an update on the Scattered Spider group, which is actively conducting social engineering attacks and targeting cloud accounts. Finally, CTI investigates UNC2970, an actor who masquerades as a recruiter and targets victims under the disguise of job openings.

Phishing campaign exploits HTTP headers for credential theft

Researchers at Palo Alto are warning of an ongoing phishing campaign that exploits refresh entries in HTTP headers to deliver spoofed email login pages.

The campaign differs from other phishing campaigns distributed through HTML content as it uses the response header sent by a server, which occurs before the HTML content is processed. Between May and July, researchers identified roughly 2,000 malicious URLs daily that were associated with the campaign.

How the technique works

Threat actors often leverage readily available tools and techniques to conduct phishing campaigns. Actors now use a header refresh technique to embed phishing links and create convincing lures. The malicious links target each user by embedding the user’s email address in the refresh field of the HTTP response header. This forces the browser to automatically refresh or reload a webpage without any user interaction.

By combining this technique with spoofed domains that mimic legitimate domains, threat actors are likelier to trick victims into providing their credentials.

Example header refresh phishing attacks

The malicious links used in the attack try to convince victims to enter their credentials with a site that closely resembles the legitimate login page. These pages typically include the organization’s email address on the site by prepopulating the victim’s email address as the username and requesting a password.

In June, Palo Alto observed large-scale campaigns. One campaign was notable because it used emails that originated from the same source IP address and the same spoofed sender address. This campaign’s most common email subject was “Complete with DocuSign: ACH/EFT Form ***.” The malicious links were delivered via header refresh URLs that contained the recipients’ email addresses.

Analyst comments from Tanium’s Cyber Threat Intelligence team

This header refresh technique is a great example of how actors adopt new techniques and demonstrate how quickly they can scale their attacks. The actor behind this campaign managed to carry out multiple large-scale attacks in just a few months, reaching 2,000 domains daily.

This requires a great deal of oversight and indicates that the actor had the resources necessary to maintain a campaign like this. These campaigns highlight how HTTP refresh headers can be used maliciously and give defenders an additional technique to watch out for.

 Scattered Spider targets cloud accounts

Researchers at EclecticIQ have been investigating ransomware operations, specifically those targeting cloud infrastructure. They recently discovered that much of the infrastructure and TTPs observed in these attacks align with the Scattered Spider group also behind the high-profile MGM attack and other advanced social engineering attacks.

Since the MGM attack, Scattered Spider has conducted various other social engineering attacks. They use both vishing (voice phishing) and smishing (text phishing) to trick their victims and have been observed targeting IT service desk and identity administrators. This actor primarily looks to gain and abuse trust.

From user accounts to cloud infrastructure

EclecticIQ’s latest research reveals that Scattered Spider frequently compromises networks with the help of social engineering against cloud accounts.

One way the group gains unauthorized access to cloud environments is via accidental credential leakage. The actor leverages leaked cloud authentication tokens that were accidentally exposed to places like GitHub because of hardcoded credentials in code.

The actor also leverages phishing campaigns and social engineering to compromise accounts and tends to target IT service desk individuals and cybersecurity teams. The attacks focus on cloud services like Entra ID, AWS EC2, and SaaS applications.

Credential stealers and initial access brokers

EclecticIQ noticed the sale of authentication tokens and credentials for cloud services on underground forums, which provides an additional means of obtaining cloud credentials and access.

Scattered Spider also uses well-known credential-stealing malware, including Stealc, Raccoon Stealer, Vidar Stealer, and RedLine Stealer.

SIM swapping and critical SaaS apps

This actor commonly leverages SIM swapping to circumvent multi-factor authentication (MFA) protections and access critical SaaS applications.

After successfully gaining access to a user account, the actor will target cloud infrastructure and, in some cases, create virtual machines to bypass existing security.

Leveraging open-source tools for cloud reconnaissance

After gaining access to a cloud infrastructure via SSO-enabled dashboards for M365, the actor conducts extensive reconnaissance.

The actor will search integrated applications within the cloud environment and focus on CRM systems, document management platforms, password storage solutions, code repos, and more. Scattered Spider will also look for information that could be used for extortion or to target third parties associated with the victim.

Persistence in cloud infrastructures

Since the beginning of 2024, the actor has been observed abusing cross-tenant synchronization (CTS) within Microsoft Entra ID.

The actor also leverages federated identity providers in Entra ID and Okta tenants for persistence.

Analyst comments from Tanium’s Cyber Threat Intelligence team

EclecticIQ’s research examines the group’s operations between 2023 and the second quarter of 2024. Their findings show that Scattered Spider has been quite successful due in large part to their skilled social engineering. EclecticIQ’s research also reveals that this group is emphasizing the deployment of ransomware in cloud environments.

It’s worth noting that in July 2024, an individual linked to the Scattered Spider group was arrested. Only time will tell if the operation continues to be successful.

UNC2970 exploits U.S. job seekers

Mandiant is tracking an actor known as UNC2970. This actor masquerades as a recruiter and targets victims under the guise of job openings.

Lately, the actor has been engaging with victims via email and WhatsApp and sharing a malicious archive containing an encrypted PDF file and a trojanized PDF viewer application. The file can only be opened with the included trojanized version of SumatraPDF and seeks to deliver a backdoor.

UNC2970’s infection chain

Mandiant investigated an incident where a victim downloaded and opened a password-protected ZIP archive received via WhatsApp. The archive included five files: a PDF containing the lure file displayed to the victim and the MISTPEN backdoor, a trojanized DLL file, two legitimate DLL files, and the legitimate open-source SumatraPDF viewer application executable.

Mandiant believes the user was instructed to open the PDF file containing the trojanized PDF viewer program. It’s important to note that this is not a vulnerability in SumatraPDF but rather a trojanized version. The MISTPEN payload ultimately loads into memory.

• BURNBOOK is loaded by the SumatraPDF.exe executable. It is a launcher that executes an encrypted payload stored in a file and writes it to disk. It contains malicious code triggered when the user opens the PDF decoy lure file.
• MISTPEN backdoor attempts to download and execute PE files. The malware is a modified version of the Notepad++ binhex plugin, v2.0.0.1. It communicates over HTTP with several Microsoft Graph APIs. It supports multiple commands, including parsing, loading into memory, executing the received PE payload, terminating processes, updating its sleep time in the configuration, and more.
• TEARPAGE loader is embedded in the resource section of BURNBOOK. It gets loaded via DLL search order hijacking and will decrypt an encrypted blob. The decrypted output is the MISTPEN backdoor.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Threat actors are constantly looking for new social engineering schemes, and the latest seems to be posing as job recruiters.

Some actors send out fake coding tests to job seekers containing malware. The victim never gets to the test stage and gets impacted simply by opening what they believe to be a PDF file of the job description.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.