Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Iran-Linked Hackers Using Modular C&C Framework in Cyberattacks

Researchers say the Iran-linked threat actor used an adaptable modular malware framework and compromised IT service providers to reach high-value targets in Israel.

Iran

An Iran-linked advanced persistent threat (APT) actor has been using a modular command-and-control (C&C) framework in recent attacks targeting organizations in Israel, Check Point reports.

Tracked as Cavern Manticore, the APT focuses on government entities and IT providers, and appears linked to Iran’s MOIS (Ministry of Intelligence and Security), with possible ties to the OilRig subgroup Lyceum (also known as Hexane and SiameseKitten).

Cavern Manticore’s C&C framework includes an adaptable toolset built using .NET, with various compilation formats used across components, used as an anti-analysis layer.

“This is not obfuscation in the traditional sense; there is no packer, no control-flow flattening, and no string encryption anywhere in the framework. Instead, the compilation format itself becomes the anti-analysis layer, since each of the three formats has to be reversed with a different toolchain and a different workflow, and the analyst has to context-switch between them across components,” Check Point notes.

The components are used as agents and modules, separating core communication functionality from post-compromise capabilities and allowing the attackers to tailor deployments per-victim and extend their access to the compromised environments.

The infection chain begins with the abuse of SysAid’s software update feature to sideload a WinDirStat DLL, which leads to the execution of the Cavern agent.

Advertisement. Scroll to continue reading.

After establishing command-and-control (C&C) communication, the agent fetches additional modules based on commands received from the operator.

Dedicated modules support file operations, database enumeration and manipulation, LDAP brute-force, network reconnaissance and SMB brute-force, and SOCKS5 proxy and WebSocket/WSS tunneling. The agent uses both managed and native modules.

The agent isolates each module into its dedicated AppDomain, which is terminated after the module is unloaded, removing them from memory to eliminate analyzable assembly artifacts. Additionally, the agent deletes all files and subdirectories in the working directory, except the communication module, config file, and log files.

According to Check Point, the Cavern framework was likely built using an AI model, but code comments and typos, as well as hand-picked names and various inconsistencies between modules, suggest a human was significantly and substantively involved in the development process.

As part of observed intrusions against Israeli targets, the APT used remote monitoring and management (RMM) solutions for lateral movement between victims. It also used browser-based remote desktop technologies to access victims’ environments and built-in features such as remote printing for data exfiltration.

“Recent campaigns suggest that the threat actor possesses a strong understanding of the complex IT supplier chains within Israel’s cyber ecosystem. In several cases, we observed evidence of the actor moving from an initial compromised IT provider to a second-hop provider before ultimately reaching the intended target organization,” Check Point notes.

Related: Cal Water Says No OT Systems Breached in Iranian Handala Cyberattack

Related: LA Metro Cyberattack Linked to Iranian State-Sponsored Hackers

Related: Iranian APT Targets Aviation, Software Companies With Updated Tools

Related: Iranian APT Intrusion Masquerades as Chaos Ransomware Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Sherrod DeGrippo has been appointed Head of Threat Intelligence for Palo Alto Networks Unit 42.

Christopher Porter has joined Booz Allen Hamilton as Global Chief Information Security Officer.

Yael Ben Arie has joined exposure validation company Pentera as Chief Product Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.