With the rise of cyber threats across the globe, a recent cyber espionage campaign has caught the attention of security experts. This sophisticated campaign, observed for over a year, has targeted various sectors in the Middle East, including finance, government, military, and telecommunications. What makes this campaign more concerning is the affiliation of the threat actor with Iran’s Ministry of Intelligence and Security (MOIS), indicating a state-sponsored cyber espionage operation.
Connection to previous cyber attacks
In the world of cyber warfare, connections between different threat actors and campaigns can provide valuable insights. In this case, there seems to be an overlap between Scarred Manticore and another Iranian nation-state crew called OilRig. OilRig was recently attributed to an attack on an unnamed Middle East government, carried out over an eight-month-long campaign from February to September 2023. Additionally, there are tactical overlaps between Scarred Manticore and an intrusion set known as ShroudedSnooper, as identified by Cisco Talos.
Targeted sectors and tactics
The threat actor behind Scarred Manticore has shown a broad focus, targeting sectors vital to the Middle East’s stability. Financial institutions, government agencies, military organizations, and telecommunications providers have all become victims of this cyber espionage campaign. The method employed by Scarred Manticore to target telecom providers is particularly stealthy, using a backdoor called HTTPSnoop.
Introduction to the LIONTAIL Malware Framework
A major discovery in this cyber espionage campaign is the use of a previously unknown passive malware framework called LIONTAIL. This malware framework primarily targets Windows servers and operates as a data harvesting tool. Its installation on compromised servers allows the threat actor to systematically collect sensitive information from infected hosts.
Features of LIONTAIL Malware
LIONTAIL is a highly advanced malware framework consisting of custom shellcode loaders and memory resident shellcode payloads. The attack sequences orchestrated by Scarred Manticore involve infiltrating publicly facing Windows servers to initiate the delivery of the LIONTAIL malware. Once deployed, LIONTAIL enables the threat actor to access and exploit the compromised servers, leading to the extraction of sensitive data.
Tailor-made implants for compromised servers
One intriguing aspect of this cyber espionage campaign is the use of tailor-made implants for each compromised server. This approach allows the threat actor to seamlessly blend their malicious activities into the victim’s environment, making it exceptionally challenging to distinguish between suspicious and legitimate network traffic. This level of sophistication increases the effectiveness and longevity of their operations.
Evolution of the Scarred Manticore’s Malware Arsenal
The historical activity of Scarred Manticore indicates a continuous evolution of their malware arsenal. In the past, the threat actor relied on web shells like Tunna and a bespoke version called FOXSHELL for backdoor access. The adoption of LIONTAIL showcases an ongoing effort to develop advanced techniques and tools, indicating their intention to remain undetected and maintain their cyber espionage capabilities.
Concerns raised by the FBI
The US Federal Bureau of Investigation (FBI), in a statement to the Senate Committee on Homeland Security and Governmental Affairs (HSGAC), issued a warning about the potential targeting of American interests and critical infrastructure by Iran and non-state actors. The FBI emphasizes the need to address the escalating cyber threats posed by these actors, indicating that the situation has the potential to worsen if left unchecked.
The cyber espionage campaign waged by Scarred Manticore, which is affiliated with Iran’s Ministry of Intelligence and Security (MOIS), poses a significant threat to the Middle East’s financial, governmental, military, and telecommunications sectors. With the discovery of the new LIONTAIL malware framework and the use of tailor-made implants, the threat actor’s sophistication is evident. The evolving nature of their malware arsenal, coupled with the concerns raised by the FBI, underscores the urgent need for proactive measures to address the growing cyber threats targeting not only the Middle East but also American interests and critical infrastructure.