Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    [mc4wp_form id=3515]
    What's Hot

    Name That Toon: Last Line of Defense

    April 16, 2024

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Facebook Twitter Instagram
    • Privacy Policy
    • Contact Us
    Facebook Twitter Instagram Pinterest Vimeo
    AI Home SecurityAI Home Security
    • Home
    • Home Security
    • Cyber Security
    • Biometric Technology
    Contact
    AI Home SecurityAI Home Security
    Home»Cyber Security»‘Scarred Manticore’ Unleashes the Most Advanced Iranian Cyber Espionage Yet
    Cyber Security

    ‘Scarred Manticore’ Unleashes the Most Advanced Iranian Cyber Espionage Yet

    justmattgBy justmattgNovember 2, 2023No Comments3 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email

    [ad_1]

    An Iranian state-sponsored threat actor has been spying on high-value organizations across the Middle East for at least a year, using a stealthy, customizable malware framework.

    In a report published on Oct. 31, researchers from Check Point and Sygnia characterized the campaign as “notably more sophisticated compared to previous activities” tied to Iran. Targets thus far have spanned the government, military, financial, IT, and telecommunications sectors in Israel, Iraq, Jordan, Kuwait, Oman, Saudi Arabia, and the United Arab Emirates. The exact nature of the data stolen thus far is not publicly known.

    The group responsible — tracked as “Scarred Manticore” by Check Point, and “Shrouded Snooper” by Cisco Talos — is linked with Iran’s Ministry of Intelligence and Security. It overlaps with the famous OilRig (a.k.a. APT34, MuddyWater, Crambus, Europium, Hazel Sandstorm), and some of its tools were observed in a dual ransomware and wiper attacks against Albanian government systems in 2021. But its newest weapon — the “Liontail” framework, which takes advantage of undocumented functionalities of the HTTP.sys driver to extract payloads from incoming traffic — is all its own.

    “It’s not just separate Web shells, proxies or standard malware,” explains Sergey Shykevich, threat intelligence group manager at Check Point. “It’s a full-scale framework, very specific to its targets.”

    Scarred Manticore’s Evolving Tools

    Scarred Manticore has been attacking Internet-facing Windows servers at high-value Middle East organizations since at least 2019.

    In its earlier days, it used a modified version of the open source Web shell Tunna. Forked 298 times on GitHub, Tunna is marketed as a set of tools which tunnel TCP communications via HTTP, bypassing network restrictions and firewalls along the way.

    Over time, the group made enough changes to Tunna that researchers tracked it under the new name “Foxshell.” It also made use of other tools, like a .NET-based backdoor designed for Internet Information Services (IIS) servers, first uncovered but unattributed in February 2022.

    After Foxshell came the group’s latest, greatest weapon: the Liontail framework. Liontail is a set of custom shellcode loaders and shellcode payloads that are memory-resident, meaning they’re fileless, written into memory, and therefore leave little discernible trace behind.

    “It’s highly stealthy, because there’s no big malware that’s easy to identify and prevent,” explains Shykevich. Instead, “it’s mostly PowerShell, reverse proxies, reverse shells, and very customized to targets.”

    Detecting Liontail

    Liontail’s stealthiest feature, though, is how it evokes payloads with direct calls to the Windows HTTP stack driver HTTP.sys. First described by Cisco Talos in September, the malware essentially attaches itself to a Windows server, listening for, intercepting, and decoding messages matching specific URL patterns determined by the attacker.

    In effect, says Yoav Mazor, incident response team leader with Sygnia, “it behaves like a Web shell, but none of the traditional Web shell logs are actually written.”

    According to Mazor, the primary tools that helped reveal Scarred Manticore were Web application firewalls and network-level tapping. And Shykevich, for his part, emphasizes the importance of XDR for snuffing out such advanced operations.

    “If you have a proper endpoint protection, you can defend against it,” he says. “You can look for correlations between the network level and the endpoint level — you know, anomalies in traffic with Web shells and PowerShell in the endpoint devices. That’s the best way.”

    [ad_2]

    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleLayerX’s Enterprise Browser Security Extension
    Next Article SaaS Security is Now Accessible and Affordable to All
    justmattg
    • Website

    Related Posts

    Cyber Security

    Name That Toon: Last Line of Defense

    April 16, 2024
    Cyber Security

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024
    Cyber Security

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Add A Comment

    Leave A Reply Cancel Reply

    Demo
    Stay In Touch
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    • YouTube
    • Vimeo
    Don't Miss
    Cyber Security

    Name That Toon: Last Line of Defense

    justmattgApril 16, 2024

    [ad_1] The enemies are always getting closer, using the same advanced technologies as security pros…

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024

    Muddled Libra Shifts Focus to SaaS and Cloud for Extortion and Data Theft Attacks

    April 16, 2024

    Subscribe to Updates

    Get the latest creative news from SmartMag about art & design.

    [mc4wp_form id=3515]
    Demo
    Top Posts

    Name That Toon: Last Line of Defense

    April 16, 2024

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Stay In Touch
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    • YouTube
    • Vimeo
    Latest Reviews
    Cyber Security

    Name That Toon: Last Line of Defense

    justmattgApril 16, 2024

    [ad_1] The enemies are always getting closer, using the same advanced technologies as security pros…

    Cyber Security

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    justmattgApril 16, 2024

    [ad_1] Apr 16, 2024NewsroomSupply Chain / Software Security Security researchers have uncovered a “credible” takeover…

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    [mc4wp_form id=3515]
    Demo
    MOST POPULAR

    Name That Toon: Last Line of Defense

    April 16, 2024

    California mountain lion P-22 left mark on wildlife conservation

    January 1, 2023

    Congress Again Writes To Home Minister Amit Shah Over Rahul Gandhi’s Security

    January 1, 2023
    OUR PICKS

    Name That Toon: Last Line of Defense

    April 16, 2024

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    [mc4wp_form id=3515]
    Facebook Twitter Instagram Pinterest
    • Privacy Policy
    • Contact Us
    AI Home Security © 2025 All rights reserved | Designed By ESmartsSolution

    Type above and press Enter to search. Press Esc to cancel.

    ↑