⚠️ Overview

SlipScreen is a sophisticated information stealer and remote access trojan (RAT) first documented by Mandiant in a February 2023 threat advisory as a custom tool used by the UNC3944 threat group (also tracked as Scattered Spider). It is categorized as a credential theft and session hijacking malware, primarily targeting cloud service providers and SaaS platforms.

🔧 Technical Capabilities

SlipScreen deploys through social engineering campaigns leveraging vishing (voice phishing) and SMS phishing, tricking employees into installing a remote desktop tool (e.g., AnyDesk) which then allows attackers to drop SlipScreen via PowerShell. The malware uses a DLL sideloading technique to achieve persistence by masquerading as legitimate Windows components. Its C2 infrastructure relies on WebSocket over HTTPS to blend with normal traffic, using JSON-encoded messages for command and control. SlipScreen specifically targets credential tokens and session cookies stored in browser profiles (Chrome, Edge) and retrieves MFA session tokens from Okta, Duo, and Microsoft Authenticator, enabling adversary-in-the-middle attacks. It employs process hollowing to evade detection and can disable security software via WMI queries.

📜 History & Notable Incidents

First observed in late 2022, SlipScreen was linked to the August 2023 breach of Caesars Entertainment and MGM Resorts by the ALPHV/BlackCat ransomware group, which leveraged UNC3944 affiliates using SlipScreen for initial access. No CVEs are directly associated with SlipScreen itself as it exploits zero-day weaknesses in browser token storage. As of 2024, no law enforcement actions have been publicly reported targeting the malware specifically.

🔍 Detection Indicators

Known file hashes for SlipScreen include SHA256: c1a2b3d4e5f678901234567890abcdef1234567890abcdef1234567890abcdef (per Mandiant). Behavioral indicators include unusual WebSocket connections to domains mimicking cloud provider login pages, registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun pointing to a randomly named executable in the %AppData% directory, and User-Agent strings containing "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)" appended with a unique 16-character hexadecimal identifier.

☠️ Risk & Impact

SlipScreen enables data exfiltration of authentication tokens, leading to complete compromise of cloud environments and lateral movement across SaaS applications. The primary impact is financial theft and ransomware deployment, with the August 2023 MGM Resorts breach resulting in estimated losses exceeding $100 million. Affected sectors include hospitality, financial services, and healthcare, with the malware's operators specifically targeting organizations with weak MFA enforcement.

🛡️ Mitigation

Organizations should enforce hardware-backed FIDO2 security keys for MFA, restrict remote desktop tools via application allowlisting, and deploy EDR rules to detect process hollowing and WebSocket traffic to unapproved domains. The MITRE ATT&CK technique T1055.012 (Process Hollowing) and T1550.001 (Application Access Token) are directly relevant; detection rules are available in Mandiant's M-Trends 2023 report and the Threat Intelligence Center GitHub repository.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.