Scattered Spider update: Silent Push analysts use content scans to reveal new phishing infrastructure.
Summary
In December 2023, we published a blog that exposed active Scattered Spider phishing infrastructure.
Here’s a quick update that takes you through how we used patterns within Scattered Spider’s deployment methods to traverse new infrastructure, by combining the Silent Push Web Scanner with our first-party passive DNS dataset.
For security reasons, certain data categories have been redacted, to prevent threat actors adjusting their TTPs to evade detection.
Silent Push Enterprise users have access to a TLP Amber report that contains specific mitigation actions and links to relevant data fields.
Executing Silent Push Web Scanner queries
We used the Silent Push Web Scanner to cross-reference in-page data with passive DNS data. Analyzing the most recent domain from the resulting dataset – sinchdev[.]com – we can see that it was first detected on 2023-01-31, and uses a certificate issued for another domain – usccplus[.]com.
Pivoting on Scattered Spider WHOIS and passive DNS data
We enriched sinchdev[.]com and executed a passive DNS lookup to locate all DNS records associated with it.
This combined pivot established that sinchdev[.]com was registered on 2023-01-30 via Hosting Concepts, and hosted on 45.32.66[.]91, which is associated with AS20473 (AS-CHOOPA, US).
Both the registrar and ASN have been used by Scattered Spider in previous campaigns.
Additional Scattered Spider pivots
We then used our scan data repository to establish that sinchdev[.]com hosted a phishing page immediately after creation. The page was live for approximately 24 hours.
We wanted to locate malicious infrastructure hosted on the same IP – 45.32.66[.]91 – so we performed a reverse A record pivot and uncovered a new domain: on-sinch[.]com
Analyzing on-sinch[.]com
After reviewing WHOIS data and DNS records for on-sinch[.]com, we established that the domain was also registered on 2023-01-30 with Hosting Concepts – the same registration pattern as sinchdev[.]com.
Further scans revealed that it also hosted a phishing page after creation but, which was taken down within 24 hours.
Executing forward A lookups on both domains revealed that all were hosted on low-density IP addresses on AS20473 (AS-CHOOPA, US) – exclusively hosting Scattered Spider infrastructure and others hosting other infrastructure such as Airdrop crypto scams.
Scattered Spider IOFAs
- on-sinch[.]com
- sinchdev[.]com
- 45.32.66[.]91
Register for Community Edition
Silent Push Enterprise users benefit from two Early Detection Feeds that allow security teams to track and monitor Scattered Spider infrastructure either using the Silent Push console, or via an API.
All of the Web Scanner queries and DNS lookups we used to detect and traverse Scattered Spider’s phishing infrastructure are available via Silent Push Community Edition – a free threat hunting platform available to security pros, researchers and analysts, including.