Full Report
Explore the tools Unit 42 found on a Muddled Libra rogue host. Learn how they target domain controllers and use search engines to aid their attacks. The post A Peek Into Muddled Libra’s Operational Playbook appeared first on Unit 42.
Analysis Summary
# Threat Actor: Muddled Libra
## Attribution & Identity
* **Name:** Muddled Libra
* **Aliases/Associated Groups:** Scattered Spider, UNC3944, Starfraud, Scatter Swine.
* **Known Associations:** Often associated with the 0ktapus campaign and is characterized as a group of native English-speaking threat actors frequently collaborating within "the Com." They are known to be an affiliate of the ALPHV (BlackCat) ransomware-as-a-service (RaaS) operation.
## Activity Summary
This report details the discovery of an operational "rogue host" used by Muddled Libra. The actor utilized this environment to consolidate tools for reconnaissance, credential theft, and lateral movement. Recent operations show a shift from simple phishing to sophisticated persistence mechanisms and the active use of search engines to research victim environments and administrative procedures in real-time.
## Tactics, Techniques & Procedures
* **Initial Access via Smishing:** Using SMS-based phishing (0ktapus) to harvest multi-factor authentication (MFA) codes.
* **Active Reconnaissance:** Using search engines (Google/Bing) to look up specific internal organizational terms and technical documentation.
* **Credential Access:** Extensive use of Mimikatz and manual extraction of NTDS.dit files from compromised Domain Controllers.
* **Lateral Movement:** Use of Remote Monitoring and Management (RMM) tools and RDP to move across the environment.
* **Defense Evasion:** Use of legitimate utilities (like PDQ Deploy) to distribute malicious payloads and the execution of scripts to disable EDR/AV solutions.
* **Privilege Escalation:** Targeting Domain Controllers specifically to gain administrative control over the entire domain.
* **MITRE ATT&CK IDs:**
* T1566.002 (Phishing: Spearphishing Link)
* T1003.003 (OS Credential Dumping: NTDS)
* T1021.001 (Remote Services: Remote Desktop Protocol)
* T1219 (Remote Access Software)
* T1580 (Cloud Infrastructure Discovery)
## Targeting
* **Sectors:** Software/Technology, Business Process Outsourcing (BPO), Telecommunications, Financial Services, and Retail.
* **Geography:** Primarily Western organizations, specifically in the United States and Europe.
* **Victims:** Large enterprises with complex IT infrastructures and heavy reliance on IAM (Identity and Access Management) solutions.
## Tools & Infrastructure
* **RMM Tools:** AnyDesk, ScreenConnect, Atera, and Tailscale (mesh VPN).
* **Exploitation/Recon Tools:** AdFind, Advanced IP Scanner, SoftPerfect Network Scanner.
* **Credential Theft:** Mimikatz, Impacket (SecretsDump).
* **Infrastructure:**
* Cloud storage for exfiltration (e.g., Mega[.]nz, Dropbox).
* Use of public search engines as an "operational aid."
* Defanged IPs/Domains: `88[.]214[.]26[.]232`, `146[.]70[.]115[.]130`.
## Implications
Muddled Libra represents a high-tier cybercrime threat due to their native English fluency, which enables highly effective social engineering. Their "Operational Playbook" reveals a group that is highly adaptable, learning a victim's specific environment on the fly through public search engines. Their move into ransomware (ALPHV) signifies a shift from mere data theft to high-impact operational disruption.
## Mitigations
* **Strengthen MFA:** Move away from SMS-based MFA toward FIDO2-compliant hardware keys to prevent smishing/proxying.
* **RMM Monitoring:** Audit and restrict the use of RMM tools (AnyDesk, ScreenConnect) within the environment; block unauthorized RMM installers.
* **Domain Controller Guarding:** Implement strict access controls for Domain Controllers and monitor for any access to `NTDS.dit` or use of `AdFind`.
* **Egress Filtering:** Implement strict outbound filtering to prevent data exfiltration to known cloud storage providers and unauthorized VPN/C2 infrastructure.
* **Endpoint Security:** Ensure EDR solutions are configured with "Tamper Protection" to prevent actors from disabling security services.