Full Report
Wiz Research looks at phishing tactics, along with how to trace and investigate these campaigns.
Analysis Summary
# Tool/Technique: 0ktapus Phishing Infrastructure and Techniques
## Overview
The focus of this summary is the phishing infrastructure and techniques employed by the threat actor known as **0ktapus** (also known by aliases such as Scattered Spider, UNC3944, Storm-0875, Starfraud, Scatter Swine, Muddled Libra, LUCR-3, and Octo Tempest). This actor specializes in financially motivated attacks, primarily targeting cloud environments by compromising identities, often focusing on IT service desk workers and administrators. The primary method discussed is the use of sophisticated phishing landing pages crafted to steal credentials.
## Technical Details
- Type: Threat Actor Activity / Phishing Infrastructure
- Platform: Web/Cloud Environments (targeting credentials for cloud services)
- Capabilities: Social engineering (phishing, smishing, vishing), MFA fatigue, SIM hijacking, deployment of bespoke phishing landing pages designed to mimic legitimate login portals.
- First Seen: Active since 2022 (as per the context provided)
## MITRE ATT&CK Mapping
Since the article focuses on initial access and infrastructure, the primary mappings relate to these phases:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Can apply if email links are central)
- T1566.002 - Spearphishing Link
- **TA0011 - Persistence** (If MFA codes/tokens are collected)
- T1555 - Credentials from Password Stores (Implied goal)
## Functionality
### Core Capabilities
- **Credential Harvesting:** Setting up new phishing landing pages that closely mimic legitimate login pages (Identity Providers, help desk sites, etc.) to trick victims into submitting credentials.
- **Social Engineering:** Employing various social engineering tactics including SMS phishing (smishing), voice phishing (vishing), and the use of phishing landing pages.
- **Initial Access Focus:** Targeting IT service desk workers and administrators to gain a foothold.
### Advanced Features
- **DOM Template Variety:** Using different Document Object Model (DOM) templates for their phishing pages, indicating the use of various phishing kits or evolving methodologies (e.g., DOM Template A characterized by specific script paths like `/bundles/modernizr`).
- **Advanced Identity Attacks:** Utilizing more complex techniques such as MFA fatigue and SIM hijacking alongside traditional phishing.
- **Infrastructure Pivoting:** The investigation techniques described in the article focus on pivoting between linked phishing landing pages to discover broader campaign infrastructure.
## Indicators of Compromise
*Note: Specific IOCs (Hashes, explicit domains/C2s) are referenced as being available in a separate GitHub repository between May 1st, 2024, and October 12th, 2024, and are not explicitly listed here as per the summary constraints.*
- File Hashes: [Available externally via linked repository]
- File Names: N/A (Focus is on web infrastructure)
- Registry Keys: N/A
- Network Indicators: Phishing domains and associated landing pages mimicking legitimate organizational login portals.
- Behavioral Indicators: Traffic directed towards login pages that exhibit structural anomalies (e.g., specific inclusion of JavaScript libraries or unique DOM structure identifiers, such as those described for "DOM Template A").
## Associated Threat Actors
- **0ktapus** (Primary nomenclature in the article)
- Scattered Spider
- UNC3944
- Storm-0875
- Starfraud
- Scatter Swine
- Muddled Libra
- LUCR-3
- Octo Tempest
## Detection Methods
- **Domain Analysis:** Monitoring registration patterns and analyzing DOM structures of newly registered domains targeting high-value organizational login pages.
- **Infrastructure Linking:** Pivoting between known malicious landing pages to discover related infrastructure.
- **Behavioral Monitoring:** Detecting user submission of credentials to non-standard or recently registered login endpoints.
## Mitigation Strategies
- **Strong Authentication:** Implementing phishing-resistant MFA methods where possible.
- **User Education:** Conducting continuous training on identifying social engineering tactics, including smishing and vishing attempts leading to credential submission portals.
- **Infrastructure Monitoring:** Proactive monitoring for newly registered domains that mimic internal or federated identity provider login pages.
## Related Tools/Techniques
- EIGHTBAIT (Mentioned as a potential phishing kit used to generate templates)
- General use of Phishing Kits for credential harvesting.
- Smishing and Vishing campaigns.