Table of Contents
Iranian Espionage Group “Scarred Manticore” Uses New LionTail Malware
Scarred Manticore, an Iranian hacking group associated with the country's Ministry of Intelligence and Security, has been operating a clandestine digital spy operation. The group has targeted various government entities and large infrastructure companies throughout the Mideast, stealing valuable data. They successfully penetrated networks using custom-made hacking tools, which notably evolved in their sophistication over time. One such notable tool is a corrupt web software system driver called Liontail by Check Point's research team.
Link to the OilRig Threat Actor
While Scarred Manticore specifically employs the Liontail tool, it bears some connection with the OilRig threat actor. Investigations on the malware code have shown some ties between the two entities, which suggest that the hacking tools employed by OilRig may also be in use by Scarred Manticore. However, the relationship between the two groups is not entirely clear.
Long-term Activity and High-Profile Targets
The group has been active since at least 2019 and has continually honed its tactics and tools to target high-profile organizations within the Mideast region. Countries like Saudi Arabia, Jordan, Kuwait, Israel, and Oman, have faced significant incursions that have gone undetected for extensive periods. This long-term activity, combined with the high-profile nature of targets, allows for an expansive operation of espionage and future network mapping for potential attacks.
The Evolution of Liontail Malware
The sophisticated Liontail malware at the heart of the Scarred Manticore operations represents a far cry from the group's initial tactics. Its most recent campaign, detected only this summer, had been operating surreptitiously for nearly an entire year before its discovery. The Liontail framework shows an immense leap in sophistication, ranging from its intricate configuration to its ability to blend seamlessly with regular network traffic and give the attackers considerable flexibility and stealth in their operations.
LionTail: A Set of Custom Loaders and Shellcode Payloads
LionTail is a significant factor in the advanced tactics employed by Scarred Manticore, serving as a set of custom loaders and shellcode payloads. Created explicitly for the purpose of stealth and adaptability, LionTail exhibits no code overlaps with known malware families, further demonstrating its purpose-built nature and its uniqueness in the realm of cyber threats.
Blending in With Legitimate Traffic
The LionTail malware is capable of integrating seamlessly with normal network traffic. This ability to blend in effectively makes it particularly challenging to detect and highlights the sophistication and intricacy of the tool. By mimicking legitimate activity, the hackers are able to conduct their activities covertly, thereby significantly increasing the likelihood of their success.
Progress of Iranian Actors
The development and successful deployment of LionTail serves as a clear indication of the progress the Iranian actors have undergone over the years. The group has evolved from using simple exploits to a multifaceted and stealthy malware framework that enables them to conduct elevated levels of espionage. This marked progress underscores the urgent need for ever-evolving cybersecurity measures, to combat these increasingly sophisticated attacks.
Installation Modes
The LionTail malware can be introduced into a system in two ways - either as a standalone executable or as a DLL via search order hijacking. Both installation methods serve the purpose of ensuring the malware gains access to and maintains its presence within the system, all the while evading detection by blending in with usual network activity.
LionTail Uses Unique Techniques for Infiltrating Systems
LionTail goes beyond traditional malware in its tactics for system infiltration. Its unique methods of operation demonstrate the advancement and customization applied by the Scarred Manticore hacking group in their cyber-espionage activities.
Executing Commands Via HTTP Requests
LionTail employs a method where the backdoor operates commands via HTTP requests. These commands instruct the malware to run payloads that are sent to URLs in the malware's configuration. This clandestine communication technique allows the attackers to effectively control compromised systems, initiate operations, and exfiltrate data without raising alarms.
Custom-Made Implant for Each Server
In further proof of its sophistication, LionTail is customized to each specific web server it targets. The attackers craft a tailor-made implant for each compromised server, enhancing their efficiency and success in data exfiltration and, importantly, in avoiding detection. This level of customization is an undeniable testament to the hacking group's capabilities.
Use of Web Shells, Shellcodes, and Legitimate Tools
Skillfully utilizing a mix of web shells, shellcodes, and legitimate tools, LionTail conducts a wide range of operations. These operations include activities like fingerprinting and hiding traffic, which aid in evading network security measures. By leveraging legitimate tools, the malware again manages to blend in with normal network activities, further enhancing its covert nature.
LionTail Targets and Future Implications
The use of LionTail malware has significant implications regarding the nature of the targets chosen by the Scarred Manticore hacking group, as well as the future directions of state-sponsored cyber attacks.
High-Profile Targets in the Middle East
The victims of LionTail hacking campaigns include government and military organizations, as well as large infrastructure firms, chiefly in the telecommunications and financial sectors. These targeted entities, located mainly within the Middle East region, represent high-profile, high-stakes victims whose data could prove extraordinarily valuable to nation-state actors.
Collaboration and Shared Access
The stealth and complexity of the malware attacks also serve as a stark reminder that nation-state actors potentially collaborate and share access with intelligence agencies. This alignment, co-operation, and shared interest result in a multiplying effect, increasing the potential damage and reach of the malware attacks.
Future Attacks: Increased Stealth and Adaptability
The sophistication and success of the LionTail malware framework, as well as its stealth and adaptability, offer concerning insights into the potential character of future nation-state sponsored cyber-espionage campaigns. It's anticipated that these future attacks will continue to evolve in their stealth and adaptability, constantly challenging cybersecurity defenses and potentially escalating the global cybersecurity risk landscape.
