Muddled Libra Showcases Proficiency with Multiple Toolkits

Category: Threat Actor Activity | Industries: Financial Services, Outsourcing, Technology, Telecommunications | Source: Unit42

A high proficiency threat group tracked as "Muddled Libra" has been identified and tracked by researchers at Palo Alto Unit42. This group exhibits exceptional technical expertise, demonstrated by utilizing diverse toolkits, including the prominent 0ktapus phishing kit, penetration testing tools, various open-source tools, and memory forensic tools, such as MAGNET RAM Capture and Volatility, for acquiring credentials. It is important to note that Unit42 distinguishes Muddled Libra as a separate threat group solely utilizing the 0ktapus phishing kit rather than attributing it to previously reported threat groups like 0ktapus, Scattered Spider, and Scatter Swine. Muddled Libra's proficiency extends beyond their extensive toolkit utilization. Muddled Libra also demonstrated resilience by adapting and persisting in network intrusions. In the realm of social engineering, Muddled Libra not only conducts thorough open-source target research but also employs tactics such as contacting help desk individuals to coerce access for their operations.

"The Muddled Libra threat group has also repeatedly demonstrated a strong understanding of the modern incident response (IR) framework. This knowledge allows them to continue progressing toward their goals even as incident responders attempt to expel them from an environment. Once established, this threat group is difficult to eradicate," said Unit42. Muddled Libra had even been shown to obtain access and erase their activity from the admin consoles of endpoint detection and response (EDR) tools. From a review of Muddled Libra's intrusions, Unit42 observed that the threat group clearly focuses on data and credential theft, usually avoiding remote execution.

"Muddled Libra has shown a penchant for targeting a victim's downstream customers using stolen data and, if allowed, they will return repeatedly to the well to refresh their stolen dataset. Using this stolen data, the threat actor has the ability to return to prior victims even after initial incident response." This threat group is also dangerous for their desire to compromise software supply chains to cause widespread impact to gain access to high-value targets. Particular industries Muddled Libra has demonstrated interest in, include cryptocurrency organizations, entities associated with outsourcing, technology, and telecommunications.