An ongoing cyber espionage campaign, believed to be linked to Iran’s Ministry of Intelligence and Security (MOIS), has been detected targeting financial, government, military, and telecommunications sectors across the Middle East for at least a year. Israeli cybersecurity firm Check Point, in collaboration with Sygnia, has uncovered and tracked this operation, identifying the threat actor as “Scarred Manticore.”
Scarred Manticore’s activities closely align with those of an emerging cluster known as Storm-0861, one of the four Iranian groups previously associated with destructive attacks on the Albanian government in the past year. The victims of this operation span across several countries, including Saudi Arabia, the United Arab Emirates, Jordan, Kuwait, Oman, Iraq, and Israel.
Notably, Scarred Manticore exhibits overlaps with another Iranian nation-state group, OilRig, which was recently attributed to an attack on an undisclosed Middle Eastern government between February and September 2023, spanning an eight-month-long campaign.
One significant aspect of this campaign is its strategic alignment with an intrusion set referred to as “ShroudedSnooper” by Cisco Talos. The threat actor employs a stealthy backdoor known as HTTPSnoop to single out Middle Eastern telecom providers.
The unique feature of Scarred Manticore’s activities is the utilization of a previously unknown passive malware framework named “LIONTAIL,” which is installed on Windows servers. The threat actor has been active since at least 2019.
Researchers at Check Point revealed, “Scarred Manticore has been pursuing high-value targets for years, utilizing a variety of IIS-based backdoors to attack Windows servers, including a variety of custom web shells, custom DLL backdoors, and driver-based implants.”
LIONTAIL, an advanced malware component, consists of custom shellcode loaders and memory resident shellcode payloads. A crucial element of this framework is a lightweight yet sophisticated implant written in C, which enables attackers to execute remote commands via HTTP requests.
The attack sequences involve infiltrating publicly facing Windows servers to initiate malware delivery and systematically collect sensitive data from the compromised hosts.
The researchers have noted a stealthy approach in this operation. Instead of using the HTTP API, the malware directly interacts with the underlying HTTP.sys driver through IOCTLs. This approach is considered stealthier, as it avoids monitoring mechanisms often applied to IIS and HTTP API.
In addition to LIONTAIL, Scarred Manticore deploys various web shells and a web forwarder tool named “LIONHEAD.”
The historical activity of Scarred Manticore shows continuous evolution in the group’s malware arsenal, with past reliance on web shells such as Tunna and a bespoke version called FOXSHELL for backdoor access.
Starting from mid-2020, the threat actor has incorporated a .NET-based passive backdoor called “SDD,” which establishes Command and Control (C2) communication via an HTTP listener on the infected machine, enabling the execution of arbitrary commands, file uploads and downloads, and the running of additional .NET assemblies.
The evolving tactics and tools used by Scarred Manticore are indicative of an advanced persistent threat (APT) group with ample resources and diverse skills. This includes their use of a malicious kernel driver named “WINTAPIX,” discovered by Fortinet, which serves as a loader to execute the next stage of the attack, injecting an embedded shellcode into a suitable user mode process designed to target Microsoft Internet Information Services (IIS) servers.
The timing of this cyber espionage campaign targeting Israel coincides with the ongoing Israel-Hamas war, which has witnessed low-sophistication hacktivist groups attacking various organizations in Israel, India, Kenya, and other nations. This suggests the involvement of nation-state actors in information operations aimed at influencing the global perception of the conflict.
Check Point researchers have found that “LIONTAIL framework components share similar obfuscation and string artifacts with FOXSHELL, SDD backdoor, and WINTAPIX drivers,” demonstrating the evolution of the threat actor’s attacks and approach, primarily relying on passive implants.
