UNC3944 Is Now Deploying Ransomware Variants

Financially Motivated Hackers Are Diversifying Operations

UNC3944 Is Now Deploying Ransomware Variants
Image: Shutterstock

A financially motivated criminal syndicate that mainly operates in Telegram and underground forums has expanded its criminal arsenals to deploy ransomware and other intrusion capabilities on various cloud applications, warn Mandiant researchers.

See Also: Live Webinar | Best Strategies for Transferring Sensitive Financial Data

Tracked as UNC3944 and also known as 0ktapus and Scattered Spider, the criminal group began operations in 2021 by offering mobile social engineering kits for credential theft, Mandiant said.

In recent months, the group has diversified its operations to offer wide-ranging intrusion capabilities. This includes previously unseen phishing tactics to gain initial access, advanced persistence capabilities for privilege escalation in cloud environments, and deployment of info stealers and ransomware.

In the case of the group’s ransomware campaign, UNC3944 deploys an Alphv variant and tends to target victims running on critical virtual machines to maximize the scale of its operation. The group is also suspected to be behind the MGM Resorts International hack that has caused ongoing service disruption at various branches of the casino operator (see: Caesars Entertainment Reportedly Pays Ransom to Attackers).

“UNC3944 is an evolving threat that has continued to broaden its skills and tactics in order to successfully diversify its monetization strategies,” the Mandiant researchers said. The threat group is likely to improve its offerings over time and will likely liaise with more underground hackers to increase the efficiency of its operations.

Among the latest phishing kits deployed by the group is a tool that researchers have dubbed EightBait. It uses the remote desktop application AnyDesk to capture and send credentials to a hacker-controlled Telegram channel. Another phishing kit used by the hackers scrapes login pages of victim organizations to dupe employees of the firms into inputting their login details, the report says.

In addition to phishing tactics, the group also targets password vault software vendors such as HashiCorp to steal credentials.

One of the tactics attackers use to target cloud infrastructure is federated IDs that allow a single sign-on to multiple applications to identify a victim’s customers from Microsoft cloud environments. The attackers conduct security assertion markup language attacks using forged SAML certificates to bypass authentication.

Cyber defenders have also observed the group using Azure Data Factory, a data integration service, to steal data stored in various integrated platforms such as data warehouses, storage blobs and SQL databases.