Site icon Check Point Blog

Check Point Research uncovers rare techniques used by Iranian-affiliated threat actor, targeting Israeli entities

Highlights:

Main findings .

Today, Check Point Research (CPR) reveals new findings of a group closely related to Phosphorus. This research presents a new and improved infection chain used by the attackers. By following the attack’s trail, CPR was able to establish links to Phosphorus, an Iran-based threat group operating in both North America and the Middle East. Phosphorus has previously been associated with a broad spectrum of activity, ranging from ransomware to spear-phishing of high-profile individuals.

In the attacks detailed in this report, we reveal the threat actor has significantly improved its mechanisms and adopted rarely seen in the wild techniques, such as using .NET binary files created in mixed mode with assembly code. The newly discovered version is likely intended for phishing attacks focused around Iraq, using an ISO file to initiate the infection chain. Other documents inside the ISO file were in Hebrew and Arabic languages, suggesting the lures were aimed at Israeli targets. CPR decided to track this activity cluster as Educated Manticore.

Since 2021, a new cluster of activity with clear ties to Iran has caught the attention of the Threat Intelligence community. The aggressive nature of the new threat, in combination with their ties to ransomware deployments, led to a thorough analysis of its activities.

As the activity evolved, the ties between the different clusters became harder to untangle. While the two ends on the spectrum of those activities differ significantly, not once has the threat intelligence community stumbled upon an activity that does not easily fit the known clusters. CPR’s previous report described one of those samples and the overlaps between the Log4J exploitation activity to an Android app previously tied to APT35.

The variant described in this report was delivered using ISO files, indicating it is likely meant to be the initial infection vector. Because it is an updated version of previously reported malware, this variant (PowerLess), associated with some of Phosphorus’ Ransomware operations, may only represent the early stages of infection, with significant fractions of post-infection activity yet to be seen in the wild.

Given these new infections are never before seen in the wild techniques, Check Point Software can provide certain defense tips to protect against such attacks :

A unified security platform is essential to preventing zero-day attacks. A single solution with visibility and control across an organization’s entire IT ecosystem has the context and insight required to identify a distributed cyberattack. Additionally, the ability to perform coordinated, automated responses across an organization’s entire infrastructure is essential to preventing fast-paced zero-day attack campaigns.

For the full deep dive on Educated Manticore, visit the CPR blog.

Exit mobile version