A sophisticated threat actor group, known as Scattered Spider, has expanded its focus to target UK retail organizations,
employing advanced supply chain attack techniques to compromise high-value targets.
Operating since May 2022, this financially motivated group has evolved from primarily attacking the telecommunications and business process outsourcing (BPO) sectors to focusing on high-stakes industries like critical infrastructure and UK retail chains.
These attacks mark a significant escalation in both scope and impact, often timed during peak retail seasons to maximize financial gain. Initially known for its expertise in social engineering, Scattered Spider, also tracked under the names Roasting Oktapus and Scatter Swine, has proven to be highly adaptable in its operational methods.
The group combines cloud exploitation techniques with complex social engineering tactics, including SMS phishing, SIM swapping, and exploiting Multi-Factor Authentication (MFA) fatigue.
The group's typical approach involves gathering employee mobile numbers from commercially available data aggregation services, followed by targeted phishing campaigns impersonating IT staff to steal credentials or gain remote access.
Cyberint researchers discovered a troubling trend in mid-2023, revealing that Scattered Spider had partnered with the BlackCat (ALPHV) ransomware group. This led to the deployment of ransomware payloads on both Windows and Linux systems, particularly targeting VMware ESXi servers.
This shift suggests that the group is likely embedded within Russian-speaking ransomware-as-a-service (RaaS) networks, though it avoids targeting organizations within the Commonwealth of Independent States (CIS).
The group's attack process is multi-stage. It begins with phishing to gain initial access, followed by using legitimate remote management tools to establish persistence, and concludes with data exfiltration and potentially deploying ransomware. While Scattered Spider has not publicly claimed responsibility for the UK retail attacks, their known tactics and techniques strongly suggest their involvement.
Evidence indicates that Scattered Spider functions as an access broker or partner within the DragonForce affiliate model, a broader trend in the ransomware ecosystem where specialized actors collaborate without co-branding, often using white-labeled infrastructure to mask attribution.
Security Bypass and Persistence Mechanisms
Scattered Spider’s technical proficiency lies in its advanced use of malicious drivers to bypass security measures.
The primary tool, POORTRY, targets Windows systems to disable Endpoint Detection and Response (EDR) processes. This driver exploits CVE-2015-2291, a vulnerability in the Intel Ethernet diagnostics driver for Windows (iqvw64.sys), which allows local users to execute arbitrary code with kernel privileges through crafted IOCTL calls (0x80862013, 0x8086200B, 0x8086200F, or 0x80862007).
To evade detection, the attackers sign the POORTRY driver using a Microsoft Windows Hardware Compatibility Authenticode signature.
Alongside POORTRY, Scattered Spider uses STONESTOP, a Windows userland utility that functions as both a loader and installer for the malicious driver. This tool orchestrates the driver’s actions, introducing it into the system to disable security processes.
Together, these tools enable Scattered Spider to conduct sophisticated, kernel-level attacks with minimal detection, ensuring persistent access to compromised retail systems.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
