Moroccan cybercrime group Atlas Lion hiding in plain sight during attacks on retailers

Researchers have discovered a novel tactic used by Moroccan cybercrime group Atlas Lion to attack big-box retailers, apparel companies, restaurants and more. 

The group was observed using stolen credentials to enroll its own virtual machines (VMs) into an organization’s cloud domain, according to researchers at cybersecurity firm Expel. The move essentially allows the group to act like its cybercrime infrastructure is a legitimate part of a company’s network. 

Atlas Lion specializes in breaching the systems of large retailers in order to fraudulently issue gift card codes to themselves, according to Microsoft.

Expel recently witnessed an attack in which Atlas Lion sent text messages made to look like notifications from a company’s helpdesk. The texts included a malicious link that took victims to a phishing site prompting them to enter usernames, passwords and multi-factor authentication (MFA) codes. 

The attackers immediately used the information to log into the victim’s account and enroll their own device into the company’s MFA authentication app in order to maintain their access. Expel noted that the initial phishing allowed the hackers to obtain credentials from 18 users. They used nine of the accounts to register MFA authentication apps. 

Once inside, Atlas Lion actors created a Windows VM in their own Microsoft Azure cloud tenant and connected it to the organization’s domain. Part of the normal Windows device setup involves offering users the opportunity to join a device to a corporate domain if an account is provided, according to Expel. 

“This effectively took a [virtual machine] mimicking a brand new system within the corporate environment and onboarded it as a new system, bypassing requirements put in place to keep unauthorized devices off of the corporate network,” the researchers said. 

The scheme has pitfalls, however, that allowed Expel researchers to discover it. Newly enrolled devices are required to install software in line with a company’s compliance requirements. 

Expel said the hackers had to install Microsoft Defender on the virtual machine, and the system alerted defenders to a previously flagged IP address with a history of malicious activity. Defenders quickly kicked the host off of the network and reset the impacted user’s credentials. 

“It’s mildly ironic that the enrollment of a malicious, attacker-controlled system was brought down by the same enrollment process the attackers were attempting to take advantage of,” the researchers said. 

“But what’s more concerning is that it could be argued that the attackers were careless. If they had simply used an IP address that wasn't known for malicious activity, it’s difficult to say if the malicious device enrollment would have been noticed as quickly.”

Just hours after being kicked out of the system, Atlas Lion actors used the stolen credentials to log into the network again. But this time, they searched through the organization’s internal applications, downloading dozens of files. 

Expel said it appears the hackers were trying to find information on “Bring Your Own Device” policy configurations, device management software, and internal VPN setups — likely as a way to avoid being caught on their next attempt to enroll a virtual machine. 

“But in addition to this, Atlas Lion looked up information on a familiar goal of the group: obtaining gift cards. They appear to have looked through gift card issuance process docs, information about gift card refunds and exchanges, and even gift card fraud prevention policies,” Expel explained, noting that the hackers also took several other actions while trying to stay under the radar.

Expel’s research echoed much of what Microsoft found last year — illustrating that Atlas Lion has shown an aptitude for leveraging cloud infrastructure and using internal documentation to learn more about how best to fraudulently issue gift cards.    

Microsoft said last year that it saw Atlas Lion download legitimate copies of 501(c)(3) letters issued by the Internal Revenue Service (IRS) from nonprofit organizations’ public websites — using them to get discounted cloud products from providers.

The group typically creates new gift cards and either cashes them out through money mules or sells them to other cybercriminals at a discount on the dark web. Microsoft researchers said they have seen instances where threat actors steal up to $100,000 a day at certain companies through individual gift cards.