LUCR-3 Attacking Fortune 2000 Companies Using Victims’ Own Tools & Apps

A new financially motivated threat group named “LUCR-3” has been discovered targeting organizations to steal intellectual property for extortion. This threat actor surpasses Scatter Spider, Oktapus, UNC3944, and Storm-0875.

LUCR-3 is targeting Fortune 2000 companies in various sectors, which include Software, Retail, Hospitality, Manufacturing, and Telecoms. The threat actor uses existing identities for initial access instead of relying on Malware.


Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Attributes of LUCR-3

As part of the initial access, the threat actor performs recon on the victim identities to choose the user who will have necessary access for their exploitation.

More often, they rely on social engineering, smashing, or buying the credentials that are available on the deep web marketplace. Most of their victims have been identified as Admins, Developers, Engineers, and the Security team.

AWS Attacker Lifecycle (Source: Permisio)

The credentials they use are legitimate for connecting to the target network and applications. With these credentials, they perform MFA bypass using various techniques like SIM Swapping, Push Fatigue, Phishing attacks, or buying a social engineer access through insider threats. They also modify MFA settings by registering a new device or adding alternative MFA options. 

R-SaaS & R-AWS (Recon SaaS & Recon AWS)

Moreover, this threat actor has a unique way of understanding the organizations by following a regular employee method – Viewing and searching the documents available on SharePoint, OneDrive, knowledge applications, ticketing solutions, and chat applications that provide in-depth knowledge about the victim organization. This method is carried out in the case of SaaS applications.

In the case of AWS, they leverage the billing and AWS management console for understanding the cloud infrastructure.

They also use Systems Manager (SSM) to run AWS-GatherSoftwareInventory, which will provide complete information about all the EC2 instances and the software running on them.

Persistence in all environments

For gaining persistent access into the compromised systems, the threat actor relies on previously available tools like device registration, alternate MFA, and strong authentication type (from 6 [PhoneAppOTP] to 7 [OneWaySMS]). 

In the case of AWS, the threat actor creates a user, access, and login profile (or updates a login profile). A complete report about this threat actor has been published by Permisio, which provides detailed information about the infiltration, extraction, and other details. 

As part of Defense evasion, LUCR-3 uses GuardDuty disabling, stopping the logging and serial console access. In certain cases, they also send emails relating to helpdesk tickets, the creation of authentication keys, access tokens, and OAuth.

Indicators of Compromise


Source: Permisio

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.


Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

WordPress POP Chain Flaw Exposes Over 800M+ Websites to Attack

A critical remote code execution vulnerability has been patched as part of the Wordpress 6.4.2 version. This vulnerability exists in…

20 hours ago

Russian Star Blizzard New Evasion Techniques to Hijack Email Accounts

Hackers target email accounts because they contain valuable personal and financial information. Successful email breaches enable threat actors to:- Identity…

21 hours ago

Exploitation Methods Used by PlugX Malware Revealed by Splunk Research

PlugX malware is sophisticated in evasion, as it uses the following techniques to avoid detection by antivirus programs, making it…

2 days ago

TA422 Hackers Attack Organizations Using Outlook & WinRAR Vulnerabilities

Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative targets.  Outlook vulnerabilities offer:- Access to…

2 days ago

Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been discovered. This vulnerability can be exploited…

3 days ago

Atlassian Patches RCE Flaw that Affected Multiple Products

Atlassian has been discovered with four new vulnerabilities associated with Remote Code Execution in multiple products. The CVEs for these…

3 days ago