CTI Roundup: Scattered Spider and RansomHub Partner, Infostealer Malware Bypasses Chrome Patches, Evasive Panda Back in the News

This week, CTI looks at a new partnership between the Scattered Spider threat group and RansomHub ransomware as a service (RaaS) operation. Next up, CTI explores how infostealers are evolving to bypass Google’s app-bound encryption in Chrome. Finally, CTI explains how the Evasive Panda threat actor uses a previously undocumented post-compromise toolset called CloudScout in its cookie theft attacks.

Scattered Spider partners with RansomHub

A recent cybersecurity incident reveals that the Scattered Spider threat group is now working with RansomHub for its attacks.

According to ReliaQuest, the actor reached its encryption phase within six hours of gaining initial access to two employee accounts via social engineering against the target organization’s help desk.

What is Scattered Spider?

The Scattered Spider threat group has been active since at least May 2022. Researchers believe that the group currently contains roughly 1,000 English-speaking threat actors.

Since its inception, members of the group have continued to advance their social engineering skills and combine them with Russia-linked ransomware strains to carry out attacks.

The group was previously an affiliate of the BlackCat ransomware operation before that group disbanded. Scattered Spider is now leveraging RansomHub ransomware in its attacks.

Attack analysis

ReliaQuest noticed several interesting behaviors during this incident, including:

• The actor demonstrated persistent social engineering. Initial access was obtained by using social engineering on members of the help desk to successfully compromise the CFO’s account. After realizing this account did not have the permissions needed to carry out the rest of the attack, the actor returned to the help desk and used the same social engineering tactic to compromise a domain admin account.
• Other notable behaviors included abusing telecom infrastructure, spinning up a VM within the ESXi environment for lateral movement, and demonstrating rapid time to impact. The actor was able to compromise the CFO account and the domain admin account within an hour after calling the help desk.

[Read also: What is Active Directory security? Risks and best practices]

A closer look at Scattered Spider’s social engineering tactic

The threat actor called the organization’s IT help desk and convinced them to reset the password for an account belonging to the company’s CFO. They later called the help desk, reached a different employee, and convinced them to reset the multi-factor authentication (MFA) controls on the CFO’s account, which made it possible for the actor to enroll their own device for MFA.

After realizing that the account lacked the necessary permissions for a successful attack, they searched across the organization’s SharePoint site to identify a domain admin account that would get them what they needed. With this target in mind, the actor called the help desk again and requested the password be reset for that domain admin account, which carried Okta Super Administrator privileges.

Demanding ransom via Microsoft Teams

The actor carried out a double extortion attack by encrypting the ESXi environment, exfiltrating data, targeting backup solutions, encrypting on-prem backups, deleting cloud backups, and finally demanding a ransom. The actor was able to exfiltrate several gigabytes of data via Mega Cloud.

The ransom note also differed from traditional ransomware attacks. In this instance, the threat actor sent a Microsoft Teams message from a previously compromised domain admin account. This message included a link for the ransom demand. The actor also sent an email from the same account with a subject that said, “Urgent Update on Cyber Attack.”

Analyst comments from Tanium’s Cyber Threat Intelligence team

There are a lot of interesting components in this Scattered Spider campaign. First and foremost, it’s clear that this actor moves fast and is getting faster. Their social engineering tactics also appear trivial, yet they are incredibly effective.

What’s more, the ransom note in this example wasn’t delivered as a traditional README file. Instead, the actor delivered the note using Teams and email messages.

ReliaQuest also mentions how Russian- and English-speaking threat actors are now collaborating, as evidenced by this latest partnership. Historically, these two groups have not collaborated often.

Scattered Spider and RansomHub are not threats to take lightly, especially when they’re working together.

Infostealers evade patched Chrome defenses

Earlier this year, Google introduced app-bound encryption for its Chrome browser to enhance cookie protection against malware. This was primarily introduced in response to the rise in cookie theft-focused infostealer malware.

Elastic Security Labs has since investigated how this has impacted the threat landscape, identifying infostealers with new code to bypass this protection and stay competitive.

Background and timeline

Researchers identified several techniques used by a handful of malware to get around Google’s app-bound encryption feature, including Stealc/Vidar, MetaStealer, Phemedrone, XenoStealer, and Lumma.

Some of these methods include remote debugging via DevTools, reading process memory of Chrome network service process, and elevating to SYSTEM then decrypting the app_bound_encryption_key.

Let’s look at a timeline of these malware types and how they work:

• Stealc/Vidar: Elastic observed new code in the Stealc infostealer malware specifically related to this cookie bypass technique towards the end of September, just a few months after Google’s announcement. These samples were different than previous Stealc samples with conditional checks.
  
  An embedded binary will create a hidden desktop, scan and kill all chrome.exe processes, and create a new chrome.exe process with the new desktop. The malware will select the appropriate signature pattern for the Chromium feature called CookieMonster. The malware is ultimately responsible for extracting unencrypted cookie values in one of Chrome’s child processes.
• Metastealer: This infostealing malware was observed upgrading its code to steal Chrome data even after Google’s new mitigating efforts.On September 30, the Metastealer author announced to Telegram that they had enhanced their ability to steal cookies even with Chrome’s latest changes.
• Phemedrone: This open-source stealer got a lot of publicity for using the Windows SmartScreen vulnerability not too long ago.
  
  A new version of the malware submitted in September appears to include a new cookie grabber feature specifically for Chrome.
• Xenostealer: Another open-source stealer, this malware is still under active development. Elastic notes that the Chrome bypass feature was introduced on September 26.
• Lumma: In mid-October, a new version of Lumma introduced additional methods to bypass Chrome’s new cookie protection features.

Analyst comments from Tanium’s Cyber Threat Intelligence team

This is a prime example of the never-ending cycle between threat actors and defenders: Threat actors discover ways to bypass controls and features, defenders and vendors create new features to prevent such activity, and threat actors develop new bypass strategies in response.

Elastic identified a few malware families that are actively developing ways of bypassing Chrome’s app-bound encryption. It’s highly probable that additional malware families will soon demonstrate similar capabilities.

Evasive Panda uses CloudScout in latest cookie attacks

According to ESET, the advanced persistent threat (APT) actor known as Evasive Panda is now using a previously undocumented post-compromise toolset called CloudScout in its attacks.

The CloudScout toolset retrieves data from a range of cloud services with the help of stolen web session cookies and integrates with the actor’s signature malware framework, MgBot.

About Evasive Panda

Evasive Panda has operated since at least 2012, primarily engaging in cyberespionage campaigns.

At the beginning of 2023, the actor deployed three previously unknown .NET modules designed to access public cloud services by hijacking authenticated web sessions. The technique relies on stealing cookies from a browser database and using them in a certain way to gain access to the cloud services.

Technical analysis

CloudScout is a .NET malware framework comprising multiple modules that target various cloud services.

To date, ESET has identified seven modules of CloudScout, though seven of these have not yet been observed on compromised machines. CloudScout has a 2020 copyright, indicating that it could have been developed around this time.

ESET identified a common RC4 encryption key between three of the modules they analyzed. They used this to determine that one of the modules, CGM, was deployed by a MgBot plugin used by Evasive Panda.

CommonUtilities package

The heart of CloudScout is a package called CommonUtilities. This package includes the low-level libraries needed for each module to run. The package is stored in the resources section of the modules and gets loaded during the “ModuleStart” function.

CommonUtilities includes numerous custom-built libraries, even though many similar open-source options are available. These libraries provide malware developers with greater flexibility and control over the internal workings of their implant, as opposed to other open-source alternatives.

Authentication and data retrieval

Web platforms do not always document cookies well. CloudScout can steal the cookies from Google Drive, Gmail, and Outlook if a session is still valid. After authentication, the tool will browse the compromised services with the help of its modules that have different hardcoded web requests.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Evasive Panda is a sophisticated actor and has been for some time. While the CloudScout toolset seems complex and could have the potential to be impactful, it’s worth noting that Google has since released protective features to Chrome to help protect against cookie-theft malware, just like CloudScout.

As ESET notes, this could potentially make the tool obsolete. However, like with everything else, if actors find value in something, they will continue to seek ways to circumvent these measures.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.