In a recent revelation, a state-sponsored Iranian threat actor known as “Scarred Manticore” has been conducting a highly sophisticated cyber espionage campaign targeting prominent organizations in the Middle East. For over a year, this government-backed advanced persistent threat (APT) has employed a covert and adaptable malware framework to infiltrate and compromise its high-value targets.
Researchers from Check Point and Sygnia recently published a comprehensive report on October 31, characterizing this campaign as significantly more sophisticated than previous Iranian cyber activities. The victims of Scarred Manticore’s espionage efforts have encompassed a wide range of sectors, including government, military, financial, IT, and telecommunications, within countries such as Israel, Iraq, Jordan, Kuwait, Oman, Saudi Arabia, and the United Arab Emirates. The exact nature of the data stolen in these attacks remains undisclosed.
The group, linked to Iran’s Ministry of Intelligence and Security, has earned aliases like “Shrouded Snooper” by Cisco Talos and bears some associations with the notorious OilRig group, known by various other names such as APT34, MuddyWater, Crambus, Europium, and Hazel Sandstorm. However, their latest weapon, the “Liontail” framework, is a unique creation that exploits undocumented functionalities of the HTTP.sys driver to extract payloads from incoming network traffic.
Sergey Shykevich, the threat intelligence group manager at Check Point, describes Liontail as more than the typical web shells, proxies, or standard malware. It is a comprehensive framework designed specifically for its intended targets, making it highly tailored and effective.
Scarred Manticore’s evolution of tools is notable. The group initially used a modified version of the open-source Web shell Tunna, known for tunneling TCP communications through HTTP to bypass network restrictions and firewalls. Over time, they made significant modifications to Tunna, leading researchers to dub it “Foxshell.” Additionally, the group utilized a .NET-based backdoor designed for Internet Information Services (IIS) servers, which was first identified in February 2022.
However, their most advanced tool is the Liontail framework, characterized by its memory-resident custom shellcode loaders and payloads. This fileless technique ensures that the malware leaves minimal traces, making it highly stealthy and challenging to detect. Liontail predominantly employs PowerShell, reverse proxies, reverse shells, and other customized elements tailored to specific targets.
One of Liontail’s most distinctive features is its ability to call the Windows HTTP stack driver, HTTP.sys, directly to evoke payloads. This technique, described by Cisco Talos in September, allows the malware to attach itself to Windows servers and intercept and decode messages matching specific URL patterns set by the attacker. The operation appears similar to a web shell but leaves no traditional web shell logs.
Detection of Liontail has been challenging, and cybersecurity experts have emphasized the importance of advanced tools like Web application firewalls and network-level monitoring. Yoav Mazor, incident response team leader with Sygnia, noted the significance of XDR (Extended Detection and Response) solutions to combat such advanced cyber operations. He highlighted the need for endpoint protection and the correlation of network-level and endpoint-level anomalies, particularly in traffic involving web shells and PowerShell on endpoint devices. These measures are crucial for effectively mitigating the threat posed by Scarred Manticore’s advanced cyber espionage activities.
Sources:
https://www.darkreading.com/dr-global/-scarred-manticore-unleashes-most-advanced-iranian-espionage
https://exchange.xforce.ibmcloud.com/osint/guid:8b5b659373c48cebcad239752a4361a3
Ákos Sipos UPS PTMSZK