An Iranian threat actor linked to the Ministry of Intelligence and Security (MOIS) has been conducting a highly sophisticated cyber espionage campaign, targeting financial, government, military, and telecommunications sectors in the Middle East for over a year.
Israeli cybersecurity firm Check Point, in collaboration with Sygnia, uncovered this campaign and is tracking the actor under the name “Scarred Manticore.” This group shares similarities with an emerging cluster called Storm-0861, one of the Iranian groups involved in destructive attacks on the Albanian government last year.
The victims of this campaign span multiple countries, including Saudi Arabia, the United Arab Emirates, Jordan, Kuwait, Oman, Iraq, and Israel. Scarred Manticore also exhibits tactical overlaps with another Iranian group, OilRig, which was recently implicated in an eight-month-long campaign targeting a Middle East government between February and September 2023.
One of the key techniques employed by Scarred Manticore involves a stealthy backdoor known as HTTPSnoop, targeting telecom providers in the Middle East. The group employs a previously unknown passive malware framework, dubbed “LIONTAIL,” which is installed on Windows servers. The threat actor has been active since at least 2019.
LIONTAIL comprises custom shellcode loaders and memory resident shellcode payloads. This framework includes a lightweight yet sophisticated implant written in C, allowing attackers to remotely execute commands via HTTP requests.
The attack process involves infiltrating publicly-facing Windows servers to initiate malware delivery and systematically gather sensitive data from infected hosts. Scarred Manticore employs an unusual command-and-control (C2) mechanism, using IOCTLs to interact directly with the HTTP.sys driver, which is less likely to trigger security solutions but demands additional research efforts by the threat actors.
One noteworthy detail is that the LIONTAIL backdoor shares similarities with HTTPSnoop due to its use of the HTTP.sys driver to extract payloads from incoming HTTP traffic. Scarred Manticore customizes an implant for each compromised server, making it challenging to distinguish malicious activities from legitimate network traffic.
The group has a history of evolving its malware arsenal, from web shells like Tunna and a bespoke version known as FOXSHELL to a .NET-based passive backdoor called SDD, which has been in use since mid-2020. These ongoing updates in tactics and tools typify advanced persistent threat (APT) groups, highlighting their resources and diverse skills. Scarred Manticore has also utilized a malicious kernel driver called WINTAPIX, further demonstrating their advanced capabilities.