A new threat actor who is found to be associated with Iran’s Ministry of Intelligence and Security (MOIS) IIS has been discovered to be conducting cyberespionage campaigns. Their targets are government, military, financial, and telecommunication sectors in the Middle East.
This threat actor has been tracked under the name Scarred Manticore and closely overlaps two other threat actors, Storm-0861 and OilRig. Moreover, their victims have been reported in several countries, such as Saudi Arabia, the United Arab Emirates, Jordan, Kuwait, Oman, Iraq, and Israel.
LIONTAIL Framework
For their malware activities, Scarred Manticore uses the novel malware framework LIONTAIL. This malware framework includes a set of custom shellcode loaders, memory resident shellcode payloads, and a backdoor written in C.
This backdoor is installed on Windows servers, which enables threat actors to execute remote commands through HTTP requests. Additionally, the backdoor also sets up listeners for the list of URLs provided in its configuration and executes payloads from requests sent by the threat actors to those specific URLs.
Existence Since 2019
This threat actor has been active since at least 2019. They have deployed several tools on compromised Windows servers that are Internet-facing belonging to organizations in the Middle East region.
Moreover, their toolset seems to have gone through significant development; it began as an open-source-based web-deployed proxy and has evolved to become a diverse and powerful toolset that utilizes both custom-written and open-source components.
However, a complete report about this threat actor has been published by Checkpoint, which provides detailed information about the threat actor’s behavior, code analysis, initial access, C&C communication, attack methods, and other details.
Indicators of Compromise
- daa362f070ba121b9a2fa3567abc345edcde33c54cabefa71dd2faad78c10c33
- f4639c63fb01875946a4272c3515f005d558823311d0ee4c34896c2b66122596
- 2097320e71990865f04b9484858d279875cf5c66a5f6d12c819a34e2385da838
- 67560e05383e38b2fcc30df84f0792ad095d5594838087076b214d849cde9542
- 4f6351b8fb3f49ff0061ee6f338cd1af88893ed20e71e211e8adb6b90e50a3b8
- f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d
- 1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e
- 8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330
- c5b4542d61af74cf7454d7f1c8d96218d709de38f94ccfa7c16b15f726dc08c0
- 9117bd328e37be121fb497596a2d0619a0eaca44752a1854523b8af46a5b0ceb
- e1ad173e49eee1194f2a55afa681cef7c3b8f6c26572f474dec7a42e9f0cdc9d
- a2598161e1efff623de6128ad8aafba9da0300b6f86e8c951e616bd19f0a572b
- 7495c1ea421063845eb8f4599a1c17c105f700ca0671ca874c5aa5aef3764c1c
- 6f0a38c9eb9171cd323b0f599b74ee571620bc3f34aa07435e7c5822663de605
- 3875ed58c0d42e05c83843b32ed33d6ba5e94e18ffe8fb1bf34fd7dedf3f82a7
- 1146b1f38e420936b7c5f6b22212f3aa93515f3738c861f499ed1047865549cb
- b71aa5f27611a2089a5bbe34fd1aafb45bd71824b4f8c2465cf4754db746aa79
- da450c639c9a50377233c0f195c3f6162beb253f320ed57d5c9bb9c7f0e83999
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.