Will Profile picture
Jun 19 6 tweets 2 min read Twitter logo Read on Twitter
🧵New #CTI assessment based on OSINT research:

🔎ScatteredSpider/0ktapus is a BlackCat (ALPHV) affiliate, but doesn't deploy ransomware

- Based on some temporal, technical, and behavioral analysis

Follow me 🐇🕳 (1/6)
9 Feb 23, Reddit faced a 'highly-targeted phishing attack' & had docs and source code stolen

TTPs are very similar to ScatteredSpider/0ktapus campaigns:
- a landing page impersonating its intranet site
- stolen employees' credentials and 2FA codes
reddit.com/r/reddit/comme… (2/6)
22 May 23, Trend Micro revealed that a BlackCat affiliate used an identical Microsoft-signed POORTRY sample (909f3fc221acbe999483c87d9ead024a) used by UNC3944 (ScatteredSpider/0ktapus), which Trend says they have used since February 2023 (3/6)
16 June 23, the BlackCat data leak site adds 'The Reddit Files', TA says they 'broke into Reddit on February 5, 2023'.

The 'Reddit Files' was written in clear English, different to BlackCat leaks, as well as other Russia-based group, like CL0P (4/6)

Overlaps 🔎
- ⌚ Temporal: The Reddit breach took place at the same time as the BlackCat post says
- ⚙ Technical: Reuse of the TTPs (SMS/SSO phish) and same tools (the POORTRY driver)
- 🕵️‍♂️ Behavioral: Data-theft-extortion operations, English-speaking threat actors

(5/6)
There's still *much* to uncover about the relationship between ScatteredSpider/0ktapus and BlackCat (ALPHV) but these public reports do indicate various connections. 🕷🐈‍⬛

More English-speaking threat actors working with Russia-based ransomware groups is a noteworthy trend. (6/6)

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Will

Will Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @BushidoToken

May 10
Kudos to @DragosInc for being transparent over a recent security incident:
dragos.com/blog/deconstru…
CTI vendors and their platforms are lucrative target for cybercriminals. They host tons of valuable reports and threat intel data, including breach data.

Cybercriminals have targeted multiple CTI platforms to see this information. Cybercrime Counterintelligence, if you will.
Read 6 tweets
May 23, 2020
My iCloud is recently getting a few #16Shop #phishing emails, I RE'd the links (for lack of a better term) and found a whole trawl of their previous phish. Highly organised operation which has been going on for a few years.
The links are text which have been highlighted and use s[.]id URL shorteners & IP logging service from (surprise surprise) Indonesia. More specifically: Pengelola Nama Domain Internet Indonesia.
They also use app[.]link from Branch.io that uses "Deep Linking".
Found that the IP range and relations are similar (not the same) to those found by @sysgoblin here:
gist.github.com/sysgoblin/7bc6…
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(