A risk actor affiliated with Iran’s Ministry of Intelligence and Safety (MOIS) has been noticed waging a classy cyber espionage marketing campaign focusing on monetary, authorities, navy, and telecommunications sectors within the Center East for at the least a 12 months.
Israeli cybersecurity agency Examine Level, which found the marketing campaign alongside Sygnia, is monitoring the actor below the title Scarred Manticore, which is alleged to carefully overlap with an rising cluster dubbed Storm-0861, one of many 4 Iranian teams linked to damaging assaults on the Albanian authorities final 12 months.
Victims of the operation span numerous international locations corresponding to Saudi Arabia, the United Arab Emirates, Jordan, Kuwait, Oman, Iraq, and Israel.
Scarred Manticore additionally displays a point of overlap with OilRig, one other Iranian nation-state crew that was just lately attributed to an assault on an unnamed Center East authorities between February and September 2023 as a part of an eight-month-long marketing campaign.
One other set of tactical overlaps have been found between the adversary and an intrusion set codenamed ShroudedSnooper by Cisco Talos. Attack chains orchestrated by the risk actor have singled out telecom suppliers within the Center East utilizing a stealthy backdoor often known as HTTPSnoop.
The exercise represented by Scarred Manticore is characterised by way of a beforehand unknown passive malware framework known as LIONTAIL that is put in on Home windows servers. The risk actor is believed to be energetic since at the least 2019.
“Scarred Manticore has been pursuing high-value targets for years, using a wide range of IIS-based backdoors to assault Home windows servers,” Examine Level researchers mentioned in a Tuesday evaluation. “These embody a wide range of customized internet shells, customized DLL backdoors, and driver-based implants.”
A complicated piece of malware, LIONTAIL is a set of customized shellcode loaders and reminiscence resident shellcode payloads. A noteworthy part of the framework is a lightweight-yet-sophisticated implant written in C that allows attackers to execute instructions remotely by way of HTTP requests.
The assault sequences entail infiltrating publicly dealing with Home windows servers to kick off the malware supply course of and systematically harvest delicate knowledge from contaminated hosts.
“As a substitute of utilizing the HTTP API, the malware makes use of IOCTLs to work together immediately with the underlying HTTP.sys driver,” the researchers mentioned, detailing the command-and-control (C2) mechanism.
“This strategy is stealthier because it does not contain IIS or HTTP API, that are often carefully monitored by security options, however just isn’t a simple activity provided that the IOCTLs for HTTP.sys are undocumented and require extra analysis efforts by the risk actors.”
Additionally deployed alongside LIONTAIL embody numerous internet shells and an internet forwarder device known as LIONHEAD, an internet forwarder.
Historic exercise of Scarred Manticore signifies a steady evolution of the group’s malware arsenal, what with the risk actor beforehand counting on internet shells corresponding to Tunna and a bespoke model known as FOXSHELL for backdoor entry.
Since mid-2020, the risk actor can also be mentioned to have used a .NET-based passive backdoor known as SDD that establishes C2 communication via an HTTP listener on the contaminated machine with the last word aim of executing arbitrary instructions, importing and downloading information, and operating extra .NET assemblies.
The progressive updates to the risk actor’s techniques and instruments is typical of superior persistent risk (APT) teams and demonstrates their assets and different expertise. That is finest exemplified by Scarred Manticore’s use of a malicious kernel driver known as WINTAPIX that was uncovered by Fortinet earlier this Might.
In a nutshell, WinTapix.sys acts as a loader to execute the following stage of the assault, injecting an embedded shellcode into an acceptable person mode course of that, in flip, executes an encrypted .NET payload particularly designed to focus on Microsoft Web Data Companies (IIS) servers.
The focusing on of Israel comes amid the continuing Israel-Hamas warfare, prompting low-sophistication hacktivist teams to assault numerous organizations within the nation, in addition to nations like India and Kenya, suggesting nation-state actors’ reliance on info operations geared toward influencing the worldwide notion of the battle.
“LIONTAIL framework parts share comparable obfuscation and string artifacts with FOXSHELL, SDD backdoor, and WINTAPIX drivers,” Examine Level mentioned.
“Analyzing the historical past of their actions, it turns into evident how far the risk actor has are available bettering their assaults and enhancing their strategy which depends on passive implants.”
