'Muddled Libra' Uses Oktapus-Related Smishing to Target Outsourcing Firms

A new, unusually dogged threat group dubbed "Muddled Libra" by threat researchers is targeting large outsourcing firms with multi-layered, persistent attacks that start with smishing and end with data theft. The group is also using the infrastructure that it compromises in downstream attacks on victims' customers.

The threat group has been attributed to more than half a dozen interrelated incidents from mid-2022 and early 2023, and makes use of the previously reported Oktapus phishing kit as initial entry into its attacks, researchers from Palo Alto Networks Unit 42 said in a report released today.

From there, the group — which has "an intimate knowledge of enterprise information technology" — maintains non-destructive persistence on a target organization's system until it achieves its goals, which typically are the exfiltration of data and the use of this data and the compromised system to conduct further attacks, Unit 42 researchers Kristopher Russo, Austin Dever, and Amer Elsad, said.

"Muddled Libra has shown a penchant for targeting a victim's downstream customers using stolen data and, if allowed, they will return repeatedly to the well to refresh their stolen data set," they wrote. "Using this stolen data, the threat actor has the ability to return to prior victims even after initial incident response."

Indeed, the group doesn't just capitalize on opportunistic access to targets but has clear goals for breaches, seeking out and then stealing information on an organization's clients that can then be used it to pivot into those environments, the researchers said.

Muddled Libra: A Targeted & Tenacious Cyberthreat

Researchers have observed the group targeting large outsourcing firms serving high-value cryptocurrency institutions and individuals but added that Muddled Libra also poses a substantial threat to organizations in the software automation, business process outsourcing, telecommunications, and technology industries.

Though it's not bringing "anything new to the table" in terms of malware or tactics, the group is particularly dangerous for a couple of key reasons, the researchers said. The threat actors are both methodical and flexible in their attack technique, able to pivot to another vector or even modify an environment to allow for their favored attack path.

Muddled Libra also shows proficiency in a range of security disciplines and can thrive and execute "devastating" attack chains rapidly, even in environments that organizations have adequately secured by most standards, the researchers noted.

Further, the group is unusually tenacious even after discovery, repeatedly demonstrating "a strong understanding of the modern incident response (IR) framework," that allows them to keep going even once they face attempted network expulsion, the researchers wrote. "Once established, this threat group is difficult to eradicate," they said.

Oktapus Phishing, a Typical Cyberattack Vector

The group's attacks typically start with reconnaissance to create profiles of targets, followed by the development of resources — such as setting up lookalike phishing domains and the deployment of the Oktapus phishing kit.

These resources eventually lead to a smishing attack that sends a lure message directly to the targeted employees' mobile phones. The message claims the need to update account information or re-authenticate to a corporate application and includes a link that emulates a familiar corporate log-in page.

One of the attackers then employs social engineering in conversation with the employee to gain access to the network, capturing credentials to be used for initial access and navigating multifactor authentication (MFA), either by asking for a code or generating an endless string of MFA prompts until the user accepts one out of fatigue or frustration, in a tactic known as MFA bombing.

Once establishing a network foothold, Muddled Libra moves quickly to elevate access using standard credential-stealing tools such as Mimikatz, ProcDump, DCSync, Raccoon Stealer, and LAPSToolkit. If the group can't quickly locate elevated credentials, it turns to Impacket, MIT Kerberos Ticket Manager, and NTLM Encoder/Decoder, the researchers said.

Muddled Libra also deploys at least a half dozen free or demo versions of remote monitoring and management (RMM) tools — which are legitimately used within organizations and thus won't arouse suspicion — once it gains access to an environment. This ensures that even if their activities are discovered, they can maintain a backdoor into the environment, the researchers said.

The group also engages in a series of evasive maneuvers, including disabling antivirus and host-based firewalls; attempting to delete firewall profiles; creating defender exclusions; and deactivating or uninstalling EDR and other monitoring products to ensure persistence on the network.

Finally, Muddled Libra eventually moves on to accessing and exfiltrating data, which appears to be its primary goal, as the researchers rarely saw the group engage in remote code execution, they said. To exfiltrate data, the group attempted to establish reverse proxy shells or secure shell (SSH) tunnels for command and control (C2), or used common file-transfer sites or the Cyberduck file-transfer agent, they said. In some cases, the group then uses the compromised infrastructure as a trusted organizational asset to engage in follow-on attacks on downstream customers, the researchers said.

Mitigation & Protection Against Sophisticated Data Theft

To defend against such a sophisticated threat actor, organizations "must combine cutting-edge technology and comprehensive security hygiene, as well as diligent monitoring of external threats and internal events," the researchers advised.

Unit 42 researchers made a number of recommendations to this end, including the implementation of MFA and single sign-on (SSO) wherever possible, noting that Muddled Libra has its most success when it has to convince employees to help the group bypass MFA. "When they were unable to do so, they appeared to move onto other targets," they noted.

Organizations should also implement comprehensive user-awareness training, as the group is highly skilled at social engineering both help desk and other employees via phone and SMS. Training can help employees identify suspicious non-email-based outreach and thus mitigate attacks, the researchers said.

Credential hygiene should also be kept up to date and organizations should grant access to employees only when and for as long as necessary, the researchers said. Defenders also should limit the connection of anonymization services to the network, which ideally should only be allowed at the firewall level by App-ID, they said.

Moreover, organizations should maintain robust network security and endpoint security, the researchers advised. The latter should be an extended detection and response (XDR) solution that can identify malicious code through the use of advanced machine learning and behavioral analytics, blocking threats in real time as they are identified, they said.

Finally, in case an organization is breached, administrators should assume that the attacker "knows the modern IR playbook" and consider setting up out-of-band response mechanisms, they said.