November 2, 2023 at 10:50AM
An Iranian state-sponsored threat actor called Scarred Manticore has been engaging in sophisticated cyber-espionage activities across the Middle East for over a year. The group, linked with Iran’s Ministry of Intelligence and Security, has targeted various sectors in countries such as Israel, Iraq, Jordan, Kuwait, Oman, Saudi Arabia, and the United Arab Emirates. The exact data stolen is unknown, but the group’s newest weapon is a customizable malware framework called Liontail, which utilizes the Windows HTTP.sys driver to extract payloads from incoming traffic. Detecting and defending against Scarred Manticore requires strong endpoint protection and correlation analysis.
Key Takeaways from Meeting Notes:
– An Iranian state-sponsored threat actor, known as Scarred Manticore or Shrouded Snooper, has been conducting sophisticated espionage operations against high-value organizations in the Middle East for at least a year.
– The campaign targets various sectors, including government, military, financial, IT, and telecommunications, in countries such as Israel, Iraq, Jordan, Kuwait, Oman, Saudi Arabia, and the United Arab Emirates.
– The group operates under the Ministry of Intelligence and Security in Iran and is linked to the OilRig group.
– The group has recently developed a new framework called Liontail, which exploits undocumented functionalities of the HTTP.sys driver to extract payloads from incoming traffic.
– Liontail is fileless and leaves little trace behind, making it highly stealthy and challenging to detect.
– Web application firewalls and network-level tapping have been effective in revealing Scarred Manticore’s activities.
– Endpoint protection and XDR (Extended Detection and Response) solutions are crucial for defending against advanced threats like Scarred Manticore.