Threat actors use pentesting tools to identify vulnerabilities and weaknesses in target systems or networks.
These tools provide a simulated environment for testing potential attack vectors that allow threat actors to exploit security gaps and gain unauthorized access.
By using pentesting tools, threat actors can assess the effectiveness of their methods and refine their strategies to maximize the impact of their attacks.
Cybersecurity researchers at Unit 42 of Palo Alto Networks discovered that Muddled Libra hackers are actively using the pentesting tools to gain admin access.
The Muddled Libra hacking group emerged in late 2022 with the 0ktapus phishing kit, offering prebuilt hosting, easy C2 connectivity, and bundled attack templates.
Malware analysis can be fast and simple. Just let us show you the way to:
This kit enabled low-skilled attackers to emulate mobile authentication pages cheaply, gathering credentials and MFA codes for over 100 organizations.
While previously documented as 0ktapus, Scattered Spider, and Scatter Swine, Muddled Libra clarified they are a distinct group using a common toolkit, social forum-based collaboration, and Agile-like team structure.
Unit 42 attributed several complex supply chain attacks targeting cryptocurrency to Muddled Libra, who are adapting tactics and broadening their scope.
Unit 42 links incidents to Muddled Libra due to common tactics.
Muddled Libra shows a deep knowledge of targets, often from prior breaches and data brokers like Genesis and Russian Markets.
Malware like Raccoon Stealer and RedLine Stealer harvests info from personal devices by exploiting BYOD policies and hybrid work setups, creating a prime target for data theft.
Muddled Libra uses lookalike domains in smishing attacks by exploiting the SMS link truncation.
They favor short-lived domains via Porkbun and Namecheap, and they are now adding Metaregistrar.
The 0ktapus kit, which was adopted widely, requires little skill, targeting via smishing or direct social engineering. Helpdesk agents are key targets for password and MFA resets.
Focus on maintaining access involves abusing RMM tools like Zoho Assist, AnyDesk, and TeamViewer.
Cloud platforms aid in establishing a foothold, but recent shifts indicate a move to an ‘encrypt and extort’ model, targeting larger organizations in the same industry.
Muddled Libra sticks to consistent discovery methods, using legit tools like SharpHound, ADRecon, and Angry IP Scanner.
They aim for data and credential theft, sometimes adding BlackCat ransomware. They execute with PsExec or Impacket, leveraging the victim’s tools and RDP connections for stealth.
Here below, we have mentioned all the defense evasion tactics:-
Here below, we have mentioned all the mitigations:-
With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…
White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…
Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…
The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…
Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…
WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…