Highlights:

1. Silent Intruders: Scarred Manticore, an Iranian cyber threat group linked to MOIS (Ministry of Intelligence & Security), is quietly running a stealthy sophisticated spying operation in the Middle East. Using their latest malware tools framework, LIONTAIL, they have been flying under the radar for over a year.

2. Targeted Sectors: The campaign focuses on big players—government, military, telecom, IT, finance, and NGOs in the Middle East. Scarred Manticore is all about systematically nabbing data, showing their commitment to high-value targets.

3. Evolution of Tactics: Scarred Manticore’s playbook has evolved from basic web shell attacks on Windows Servers to an advanced framework with diverse and powerful toolset that utilizes both custom-written and open-source components. A clear sign of Iran’s cyber game leveling up.

The Story Unfolds:

In a collaborative effort between Check Point Research (CPR) and Sygnia’s Incident Response Team, the Scarred Manticore saga comes to light. Linked to the Iranian actor DEV-0861 and to some degree to OilRig, this threat actor has a history of breaching organizations, using tailor-made tools for espionage.

The LIONTAIL framework, the latest in their arsenal, utilizes custom loaders and memory-resident shellcode payloads. Its DLL implant cleverly exploits undocumented functionalities of the HTTP.sys driver, allowing Scarred Manticore to blend malicious activities seamlessly into legitimate network traffic.

In more simple words: Imagine LIONTAIL as Scarred Manticore’s secret weapon. It’s like a high-tech spy gadget in their toolkit. This sneaky tool uses custom loaders and special codes that hang out in the computer’s memory. What makes it even trickier is that it hijacks a part of the computer called the HTTP.sys driver, using its hidden features. This lets Scarred Manticore do their cyber mischief without raising any alarms, blending in with regular network activity. It’s like a digital chameleon, slipping through undetected.

The Story Unfolds

Evolutionary Trail- a leap in sophistication

Scarred Manticore’s evolution is traced through compromised internet-facing Windows Servers, progressing from web shells to passive backdoors and custom driver implants. The recent LIONTAIL framework represents a leap in sophistication compared to their earlier activities, showcasing the continual refinement of Iranian cyber capabilities.

Behind the Scenes – Not Just Espionage

While Scarred Manticore’s main goal is espionage, certain tools have been associated with parts of MOIS-sponsored destructive attacks against the Albanian government infrastructure (DEV-0861). The threat actor’s activities have been monitored for years, indicating a persistent pursuit of covert access and data extraction.

 

Check Point Customers Remain Protected

Check Point Customers remain protected against attacks detailed in this report, while using IPS, Check Point Harmony endpoint and Threat emulation.

IPS :

Backdoor.WIN32.Liontail.A
Backdoor.WIN32.Liontail.B

Threat Emulation  

APT.Wins.Liontail.C/D

Conclusion and Future Outlook

The Scarred Manticore operations are likely to persist, with potential expansion into other regions and targets aligning with Iranian long-term interests. The LIONTAIL framework’s stealthiness, avoiding common monitoring methods, poses a challenge for detection. The troubling attack in May 2021 on Albanian government networks serves as a stark reminder of the collaboration and information sharing among nation-state actors.

The war that began on the morning of October 7 between Israel and Hamas, known as “Iron Swords”, has also attracted the attention of many threat actors in cyberspace. Much like the Russian-Ukrainian war, there are many individuals and groups trying to leverage cyberspace as an added battlefield, aiming not just to inflict harm but often to orchestrate information campaigns and mould global narratives.

In this unfolding cyber saga, the intricate dance between Scarred Manticore and cybersecurity researchers reveals the ever-evolving landscape of state-sponsored cyber threats. As the story continues, the need for vigilant cybersecurity measures becomes paramount in safeguarding organizations against the persistent and advancing tactics of threat actors.

For the full technical research visit the CP<R> blog 

You may also like