An advanced persistent threat (APT) group connected to Iran has been utilizing a sophisticated command-and-control (C&C) system in their recent cyber assaults aimed at Israeli organizations, as reported by Check Point.
Identifying the Threat: Cavern Manticore
The group, identified as Cavern Manticore, targets governmental bodies and IT service providers. Analysts suggest a link to Iran’s Ministry of Intelligence and Security (MOIS) and possible affiliations with OilRig, also known as Lyceum, Hexane, and SiameseKitten.
Cavern Manticore employs a versatile C&C framework designed with .NET technology and various compilation formats, serving as a defensive layer against analysis efforts.
Complexity in Cyber Tactics
Instead of using traditional obfuscation methods like packing or string encryption, the group employs distinct compilation formats that require different tools and workflows for analysis, complicating efforts to reverse-engineer their operations.
The framework’s components function as agents and modules, differentiating core communication tasks from capabilities post-compromise, allowing for customized deployment per target and enhancing access to breached systems.
Intrusion and Movement Techniques
The initial stage of the intrusion involves exploiting SysAid’s software update mechanism to sideload a WinDirStat DLL, triggering the Cavern agent’s execution.
Once C&C communication is established, the agent retrieves additional modules based on instructions from the operators. These modules enable file management, database operations, network reconnaissance, and more, utilizing both managed and native modules.
Modules are loaded into separate AppDomains, which are terminated upon unloading, effectively removing analysis artifacts. The agent also cleans the working directory of all files except essential communication and configuration files.
Human Involvement and Strategic Insights
Check Point indicates that while the Cavern framework may have been developed using AI, the presence of code comments, typographical errors, and inconsistent naming conventions point to significant human involvement.
In attacks on Israeli targets, the APT leveraged remote monitoring tools for lateral movement, utilized browser-based remote desktop technologies for accessing victim environments, and exploited features like remote printing for data theft.
Recent operations imply that the threat actors possess a deep understanding of Israel’s complex IT supply chains, as evidenced by their movement from initially compromised IT providers to secondary targets, eventually reaching the intended organizations.
The ongoing cyber campaigns highlight the evolving threat posed by Iranian state-linked groups, underscoring the need for robust cybersecurity measures to safeguard against such sophisticated attacks.
