November 1, 2023 at 10:23AM
Researchers at Check Point warn that an Iranian espionage group known as Scarred Manticore has been using a new malware framework called LionTail in recent cyberattacks. The group, linked to the OilRig threat actor, has been active since 2019 and targets high-profile organizations in the Middle East. LionTail allows attackers to stay hidden and blend in with legitimate traffic, demonstrating the progress Iranian actors have made in recent years. The group deploys the LionTail backdoor on Windows servers to execute commands and run payloads sent by the attackers. The attacks have targeted government, military, telecommunication, financial organizations, and a regional affiliate of a humanitarian network.
Key Takeaways from Meeting Notes:
– An Iranian hacking group, known as Scarred Manticore and tied to the OilRig threat actor, has been using a new malware framework in recent cyberattacks.
– The group has been active since at least 2019, targeting high-profile organizations in the Middle East.
– The new framework, LionTail, incorporates custom loaders and in-memory shellcode payloads that help the attackers remain hidden and blend in with legitimate traffic.
– LionTail deploys the passive backdoor LionTail on Windows servers to execute commands and run payloads.
– The threat actor uses unique implants for each compromised server to ensure communication blends in, and the backdoor is installed either as a standalone executable or as a DLL loaded via search order hijacking.
– During attacks, web shells, shellcodes, and legitimate tools are leveraged for various purposes, including fingerprinting, establishing communication with the command-and-control server, concealing traffic, and exfiltrating data.
– LionTail has been used in attacks targeting government, military, telecommunication, and financial organizations in several Middle Eastern countries, including Iraq, Israel, Jordan, Kuwait, Oman, Saudi Arabia, and the United Arab Emirates.
– The attacks align with Iranian interests and the typical victim profile targeted in espionage operations by MOIS-affiliated clusters.
– The evolution of LionTail from FoxShell demonstrates the progress Iranian actors have made in their hacking techniques.
– While Scarred Manticore primarily focuses on maintaining covert access and data extraction, there have been examples of collaboration and sharing of access with other nation-state actors, as evidenced by the attack on the Albanian government networks.