An Iranian espionage group has been caught using a new malware framework in a recent spate of cyberattacks, according to a warning from researchers at Check Point.
Tracked as Scarred Manticore and linked to the OilRig threat actor, the nation-state hacking group has been active since at least 2019, targeting high-profile organizations in the Middle East.
In its most recent campaign, Scarred Manticore has been observed using LionTail, a set of custom loaders and in-memory shellcode payloads that do not show code overlaps with known malware families, and which allow the attackers to stay hidden, blending in with legitimate traffic.
The campaign employs techniques “notably more sophisticated compared to previous activities” previously tied to Iran, demonstrating “the progress the Iranian actors have undergone over the last few years.”
As part of the framework, Check Point found that Scarred Manticore deploys the passive backdoor LionTail on Windows servers, to execute commands via HTTP requests and run payloads attackers send to URLs specified in the malware’s configuration.
“Utilizing access from a publicly facing server, the threat actor chains a set of passive implants to access internal resources. The internal instances of the LionTail backdoors we’ve seen so far either listen on HTTP(s), similar to the internet-facing instances, or in some cases use named pipes to facilitate remote code execution,” Check Point added.
The threat actor uses a tailor-made implant for each compromised server, to ensure communication blends in, and the backdoor is installed either as a standalone executable or as a DLL loaded via search order hijacking.
As part of the observed attacks, web shells, shellcodes, and legitimate tools are leveraged to perform various operations, including fingerprinting, establishing communication with the command-and-control (C&C) server, conceal traffic, and exfiltrate data.
The LionTail framework has been used in attacks targeting government, military, telecommunication, and financial organizations in Iraq, Israel, Jordan, Kuwait, Oman, Saudi Arabia, and the United Arab Emirates. A regional affiliate of a global non-profit humanitarian network was also infected.
“The geographic region and the targeted profile are aligned with Iranian interests and in line with the typical victim profile that MOIS-affiliated clusters usually target in espionage operations,” Check Point notes.
LionTail appears to be the evolution of FoxShell, another tool attributed to Scarred Manticore, but stands out from other observed variants, as it uses different methods of implementing listeners, and allows the attackers to customize the implants, with enhanced stealth.
While most of the recent activity of Scarred Manticore is primarily focused on maintaining covert access and data extraction, the troubling example of the attack on the Albanian government networks serves as a reminder that nation-state actors may collaborate and share access with their counterparts in intelligence agencies,” Check Point added.