November 1, 2023 at 07:48AM
A cyber espionage campaign has been targeting financial, government, military, and telecommunications sectors in the Middle East for at least a year. The threat actor, known as Scarred Manticore, is affiliated with Iran’s Ministry of Intelligence and Security. The campaign shows overlaps with other Iranian groups and uses a previously unknown malware framework called LIONTAIL. The group has continuously evolved its tactics and tools, demonstrating its advanced persistent threat capabilities. The targeting of Israel coincides with the ongoing Israel-Hamas conflict.
Key Takeaways from the Meeting Notes:
1. A threat actor affiliated with Iran’s Ministry of Intelligence and Security (MOIS) has been conducting a cyber espionage campaign targeting various sectors in the Middle East for at least a year.
2. The actor is known as Scarred Manticore and is believed to be closely linked to an Iranian group called Storm-0861.
3. The campaign has targeted financial, government, military, and telecommunications sectors in countries like Saudi Arabia, United Arab Emirates, Jordan, Kuwait, Oman, Iraq, and Israel.
4. Scarred Manticore shows similarities with another Iranian group called OilRig and an intrusion set named ShroudedSnooper by Cisco Talos.
5. The threat actor uses a stealthy backdoor called HTTPSnoop to target telecom providers in the Middle East.
6. The campaign involves the use of a previously unknown malware framework called LIONTAIL, which is installed on Windows servers.
7. Scarred Manticore uses a variety of IIS-based backdoors, web shells, DLL backdoors, and driver-based implants to attack Windows servers.
8. LIONTAIL includes custom shellcode loaders and memory resident shellcode payloads, allowing remote command execution.
9. The attack sequences involve infiltrating Windows servers and systematically harvesting sensitive data.
10. Scarred Manticore has a history of evolving its malware arsenal, using various web shells and a backdoor called SDD.
11. The group also employs a malicious kernel driver called WINTAPIX to target Microsoft Internet Information Services (IIS) servers.
12. The targeting of Israel coincides with the ongoing Israel-Hamas war, highlighting the use of information operations by nation-state actors to influence global perceptions.
13. The LIONTAIL framework shares similarities with FOXSHELL, SDD backdoor, and WINTAPIX drivers, indicating a progression in the threat actor’s attacks.
Please note that these are the main points from the meeting notes. For a comprehensive understanding of the topic, it is recommended to refer to the original article or conduct further research.