June 23, 2023Ravi LakshmananSocial Engineering / Phishing

threat actor known as Confused Libra is a relentless attack that leverages sophisticated social engineering tactics to gain initial access, targeting the business process outsourcing (BPO) industry.

“The attack style that defines Muddled Libra will enter the cybersecurity radar in late 2022 with the release of the 0ktapus phishing kit, which offers pre-built hosting frameworks and bundled templates,” said Palo Alto Networks. Unit 42 Said in technical reports.

Libra is specify Given to cyber crime groups by cyber security companies. The “confused” nickname for this threat actor stems from its general ambiguity regarding its use of the 0ktapus framework.

0ktapus, also known as Scatter Swine, refers to an intrusion set first revealed in August 2022 in connection with smishing attacks against over 100 organizations, including Twilio and Cloudflare.

cyber security

And in late 2022, CrowdStrike detailed a series of cyberattacks targeting telcos and BPO companies that combined credential phishing and SIM swapping attacks since at least June 2022. This cluster is tracked under the names Roasted 0ktapus, Scattered Spider, and UNC3944.

“Unit 42 has decided to name it Muddled Libra in order to confuse the chaos associated with the 0ktapus phishing kit,” senior threat researcher Kristopher Russo told The Hacker News.

“Since this kit is now widely available, many other attackers have added it to their arsenal. It is not classified as Libra.”

Attacks by electronic crime groups begin with the use of smishing and 0ktapus phishing kits to establish initial access, and usually end with data theft and long-term persistence.

Another unique feature is that compromised infrastructure and stolen data are used in downstream attacks against the victim’s customers, sometimes targeting the same victim multiple times to replenish the dataset. sometimes even

Unit 42, which investigated more than six Muddled Libra incidents between June 2022 and early 2023, said the group was tenacious, “methodical in its pursuit of objectives and very flexible in its attack strategy” and encountered obstacles. It had the characteristic of changing tactics immediately.

In addition to favoring a variety of legitimate remote administration tools to maintain persistent access, Muddled Libra has been known to tamper with endpoint security solutions to evade defenses and implement multi-factor authentication (MFA) notification fatigue strategies. is known to be used to steal credentials.

Threat actors have also been observed gathering employee lists, job titles, and mobile phone numbers in order to carry out smishing and rapid-fire bombing attacks. If this approach fails, the Muddled Libra attacker impersonates the victim and contacts the organization’s helpdesk to enroll her new MFA device under management.

“The success of Muddled Libra’s social engineering is remarkable,” the researchers said. “In many of our cases, this group gave both the helpdesk and other employees an unusually high level of reassurance over the phone and persuaded them to engage in risky behavior.”

This attack includes credential stealing tools such as Mimikatz and Raccoon Stealer to elevate access, as well as facilitating network discovery and ultimately exfiltrating data from Confluence, Jira, Git, Elastic, Microsoft 365, and internal messaging platforms. Other scanners to extract are also used.

Unit 42 theorizes that the authors of the 0ktapus phishing kit lacked the advanced capabilities of Muddled Libra, and despite the overlap in trade craft, there is no clear connection between this actor and UNC3944. added.

“Muddled Libra stands at the intersection of nefarious social engineering and agile technology adaptation,” the researchers said. “They are experts in various security disciplines, thrive in relatively secure environments, and can execute quickly to complete devastating attack chains.”

“This enterprise information technology-savvy threat group poses significant risks even to organizations with well-developed, traditional cyber defenses.”

Did you enjoy this article? Follow us twitter and LinkedIn To read more of the exclusive content we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog