The financially motivated UNC3944 threat group has shifted focus to data theft extortion from software-as-a-service applications but without the use of ransomware variants, which it is historically known for. UNC3944, also known as 0ktapus, Octo Tempest, Scatter Swine and Scattered Spider, is a financially motivated threat group that has demonstrated significant adaptability in its tactics since its inception in May 2022. According to Google-owned cybersecurity company Mandiant, the threat group has now evolved its strategies to include data theft from SaaS applications. It leverages cloud synchronization tools for data exfiltration, persistence mechanisms against virtualization platforms and lateral movement via SaaS permissions abuse, Mandiant said.

Data Theft Extortion Without Ransomware

UNC3944 initially focused on credential harvesting and SIM swapping attacks but over the years has transitioned to ransomware. Mandiant has now found evidence that shows the threat group has taken a further leap and now shifted primarily to data theft extortion without any ransomware deployment. UNC3944’s latest attack lifecycle often begins with social engineering techniques aimed at corporate help desks. Mandiant said the threat group gained initial access exploiting privileged accounts in multiple instances. The UNC3944 group used personally identifiable information (PII) such as Social Security numbers, birth dates and employment details likely scraped from social media profiles of the victims to bypass identity verification processes of help desks. They often claimed the need for a multi-factor authentication (MFA) reset due to receiving a new phone, enabling them to reset passwords and bypass MFA protections on privileged accounts.

“Evidence also suggests UNC3944 has occasionally resorted to fear mongering tactics to gain access to victim credentials. These tactics include threats of doxxing personal information, physical harm to victims and their families, and the distribution of compromising material.” - Mandiant

Phase I of UNC3944’s Attack Lifecycle

The first phase of the threat group’s attack lifecycle includes:

• Social Engineering: UNC3944 conducted sophisticated social engineering attacks, leveraging extensive research on victims to gain help desk access.
• Credential Harvesting: Used SMS phishing campaigns to harvest credentials.
• Internal Reconnaissance: After gaining access, conducted reconnaissance on Microsoft applications like SharePoint to gather internal documentation on VPNs, VDI and remote work utilities.
• Privilege Escalation: Abused Okta permissions to self-assign roles and gain broader access to SaaS applications.

[caption id="attachment_77144" align="aligncenter" width="1024"] UNC3944 attack lifecycle (Source: Mandiant)[/caption]

Phase II of the Attack Lifecycle

In the second phase of UNC3944’s attack lifecycle, the threat group employed aggressive persistence methods through the creation of new virtual machines in environments like vSphere and Azure. They use administrative privileges to create these machines and configure them to disable security policies, such as Microsoft Defender, to avoid detection. A lack of endpoint monitoring allowed the group to download tools like Mimikatz, ADRecon, and various covert tunneling utilities like NGROK, RSOCX and Localtonet to maintain access to the compromised device without needing VPN or MFA. UNC3944 has previously deployed Alphv ransomware on virtual machine file systems but Mandiant said since the turn of 2024, it has not observed ransomware deployment by this threat group.

Focus Shifts to SaaS Applications

The novel shift in UNC3944’s targeting is its exploitation of SaaS applications to gain further access and conduct reconnaissance.

“Mandiant observed access to such applications as vCenter, CyberArk, SalesForce, Azure, CrowdStrike, AWS, and GCP.”

Once the threat group gained access to any of the SaaS applications, they then used endpoint detection and response tooling to test access to the environment and further used tools like Airbyte and Fivetran to exfiltrate data to attacker-owned cloud storage.

Advanced Techniques of Phase II

Some of the advanced techniques demonstrated by UNC3944 in phase two of the attack lifecycle includes: ADFS Targeting: Exporting Active Directory Federated Services certificates to perform Golden SAML attacks for persistent cloud access. Data Exfiltration: Using cloud synchronization utilities to move data from SaaS platforms to external cloud storage. Endpoint Detection and Response (EDR): Creation of API keys in CrowdStrike’s console for executing commands and further testing access. Anti-Forensic Measures: UNC3944 employed anti-forensic techniques to obscure their activities. They use publicly available utilities to reconfigure virtual machines, disable logging, and remove endpoint protections. The attackers also used ISO files like PCUnlocker to reset local administrator passwords and bypass domain controls.

Abuse of M365 Delve Feature

Mandiant observed advanced M365 features like Microsoft Office Delve being used for data reconnaissance by UNC3944 for uncovering accessible data sources. Delve offers quick access to files based on group membership or direct sharing and shows personalized content recommendations from M365 sources and mapping organizational relationships. While this feature is useful for collaboration, UNC3944 exploited Delve for rapid reconnaissance, identifying active projects and sensitive information by recent modification. These resources typically lack sufficient security monitoring and logging. Traditional security controls, like firewalls and network flow sensors, are ineffective for detecting large data transfers from SaaS platforms. Identifying data theft with traditional logs is challenging, and real-time detection remains difficult with historical log analysis. The storage of sensitive data in SaaS applications poses significant risks that is often overlooked due to the perceived security of SaaS models. UNC3944 exploited these weaknesses and took advantage of inadequate logging and monitoring to perform data theft undetected.

Recommended Mitigation Steps

Mandiant researchers recommended a number of controls to protect against the threat group's tactics:

• Implement host-based certificates and MFA for VPN access to ensure secure connections.
• Have stricter conditional access policies and limit visibility and access within cloud tenants.
• Have enhanced monitoring through centralized logs from SaaS applications and virtual machine infrastructures to detect suspicious activities.
• Ensure comprehensive logging for SaaS applications to detect signs of malicious intent.

Researchers discovered a new data theft campaign, active since at least 2021, attributed to an advanced persistent threat (APT) actor dubbed "LilacSquid." This campaign, observed by researchers at Cisco Talos, targets a diverse set of industries, including IT organizations in the United States, energy companies in Europe, and pharmaceutical firms in Asia. This broad victimology suggests that LilacSquid is agnostic to industry verticals, aiming to steal data from various sectors.

Use of Open-Source Tools and Customized Malware

The campaign from LilacSquid employs MeshAgent, an open-source remote management tool and a customized version of QuasarRAT that researchers refer as "PurpleInk," as primary implants after compromising vulnerable application servers exposed to the internet. LilacSquid exploits public-facing application server vulnerabilities and compromised remote desktop protocol (RDP) credentials to deploy a range of open-source tools and customized malware, including MeshAgent, SSF, PurpleInk, and loaders InkBox and InkLoader.

LilacSquid's Long-Term Access for Data Theft through Persistence

Talos assessed with high confidence that LilacSquid has been active since at least 2021, focusing on establishing long-term access to compromised organizations to siphon valuable data to attacker-controlled servers. The campaign has successfully compromised entities in Asia, Europe, and the United States across various sectors such as pharmaceuticals, oil and gas, and technology. LilacSquid uses two primary infection chains: exploiting vulnerable web applications and using compromised RDP credentials. [caption id="attachment_73284" align="aligncenter" width="1024"] LilacSquid Initial Access and Activity. (Credit: Cisco Talos)[/caption] Once a system is compromised through exploiting vulnerabilities on internet facing devices, LilacSquid deploys multiple access tools, including MeshAgent, SSF, InkLoader, and PurpleInk. [caption id="attachment_73286" align="aligncenter" width="1024"] LilacSquid's Lateral Movement via RDP. (Credit: Cisco Talos)[/caption] MeshAgent, downloaded using bitsadmin utility, connects to its command and control (C2) server, conducts reconnaissance, and activates other implants. On the other hand InkLoader, a .NET-based malware loader, is used when RDP credentials are compromised. It persists across reboots and executes PurpleInk, with the infection chain tailored for remote desktop sessions.

PurpleInk Implant of LilacSquid

PurpleInk, derived from QuasarRAT, has been customized extensively since 2021.

"Although QuasarRAT has been available to threat actors since at least 2014, we observed PurpleInk being actively developed starting in 2021 and continuing to evolve its functionalities separate from its parent malware family."

It features robust remote access capabilities, including process enumeration, file manipulation, system information gathering, remote shell access, and proxy server communication. Different variants of PurpleInk exhibit varying functionalities, with some stripped-down versions retaining core capabilities to evade detection. InkBox, an older loader used by LilacSquid, reads from a hardcoded file path on disk, decrypts its contents, and runs PurpleInk. Since 2023, LilacSquid has modularized the infection chain, with PurpleInk running as a separate process via InkLoader. [caption id="attachment_73282" align="aligncenter" width="1024"] PurpleInk Activation Chain (Credit: Cisco Talos)[/caption] Post-exploitation, MeshAgent activates other tools like SSF and PurpleInk. MeshAgent, configured with MSH files, allows operators to control infected devices extensively, managing files, viewing and controlling desktops, and gathering device information.

Parallels with North Korean APT Groups

The tactics, techniques, and procedures (TTPs) used in this campaign show similarities to those of North Korean APT groups, such as Andariel and Lazarus. Andariel is known for using MeshAgent to maintain post-compromise access, while Lazarus extensively employs SOCKs proxy and tunneling tools, along with custom malware, to create channels for secondary access and data exfiltration. LilacSquid has similarly deployed SSF and other malware to establish tunnels to their remote servers. The LilacSquid campaign highlights the persistent and evolving threat posed by sophisticated APT actors. By leveraging a combination of open-source tools and customized malware, LilacSquid successfully infiltrates and maintains long-term access to diverse organizations worldwide. IoCs to detect LilacSquid's PurpleInk infection:

PurpleInk: 2eb9c6722139e821c2fe8314b356880be70f3d19d8d2ba530adc9f466ffc67d8

Network IOCs 

67[.]213[.]221[.]6 192[.]145[.]127[.]190 45[.]9[.]251[.]14 199[.]229[.]250[.]142