A threat actor known as Muddled Libra is targeting the business process outsourcing (BPO) industry with persistent attacks that leverage advanced social engineering ploys to gain initial access.
“The attack style defining Muddled Libra appeared on the cybersecurity radar in late 2022 with the release of the 0ktapus phishing kit, which offered a prebuilt hosting framework and bundled templates,” Palo Alto Networks Unit 42 said in a technical report.
Libra is the constellation-themed designation given by the cybersecurity company for cybercrime groups. The “muddled” moniker for the threat actor stems from the prevailing ambiguity with regards to the use of the 0ktapus framework.
0ktapus, also known as Scatter Swine, refers to an intrusion set that first came to light in August 2022 in connection with smishing attacks against over 100 organizations, including Twilio and Cloudflare.
Then in late 2022, CrowdStrike detailed a string of cyber assaults aimed at telecom and BPO companies at least since June 2022 by means of a combination of credential phishing and SIM swapping attacks. This cluster is being tracked under the names Roasted 0ktapus, Scattered Spider, and UNC3944.
“Unit 42 decided to name Muddled Libra because of the confusing muddled landscape associated with the 0ktapus phishing kit,” senior threat researcher Kristopher Russo told The Hacker News.
“Since the kit is now widely available, many other threat actors are adding it to their arsenal. Using the 0ktapus phishing kit alone doesn’t necessarily classify a threat actor as what Unit 42 calls Muddled Libra.”
The e-crime group’s attacks commence with making use of smishing and the 0ktapus phishing kit for establishing initial access and typically end with data theft and long-term persistence.
Another unique hallmark is the use of compromised infrastructure and stolen data in downstream attacks on victim’s customers, and in some instances, even targeting the same victims over and over again to replenish their dataset.
Unit 42, which investigated over half a dozen Muddled Libra incidents between June 2022 and early 2023, characterized the group as dogged and “methodical in pursuing their goals and highly flexible with their attack strategies,” quickly shifting tactics upon encountering roadblocks.
Besides favoring a wide range of legitimate remote management tools to maintain persistent access, Muddled Libra is known to tamper with endpoint security solutions for defense evasion and abuse multi-factor authentication (MFA) notification fatigue tactics to steal credentials.
The threat actor has also been observed collecting employee lists, job roles, and cellular phone numbers to pull off the smishing and prompt bombing attacks. Should this approach fail, Muddled Libra actors contact the organization’s help desk posing as the victim to enroll a new MFA device under their control.
“Muddled Libra’s social engineering success is notable,” the researchers said. “Across many of our cases, the group demonstrated an unusually high degree of comfort engaging both the help desk and other employees over the phone, convincing them to engage in unsafe actions.”
Also employed in the attacks are credential-stealing tools like Mimikatz and Raccoon Stealer to elevate access as well as other scanners to facilitate network discovery and ultimately exfiltrate data from Confluence, Jira, Git, Elastic, Microsoft 365, and internal messaging platforms.
Unit 42 theorized the makers of the 0ktapus phishing kit don’t have the same advanced capabilities that Muddled Libra possesses, adding there is no definite connection between the actor and UNC3944 despite the tradecraft overlaps.
“At the intersection of devious social engineering and nimble technology adaptation stands Muddled Libra,” the researchers said. “They are proficient in a range of security disciplines, able to thrive in relatively secure environments and execute rapidly to complete devastating attack chains.”
“With an intimate knowledge of enterprise information technology, this threat group presents a significant risk even to organizations with well-developed legacy cyber defenses.”