A sophisticated cyber espionage operation attributed to a threat actor connected with Iran’s Ministry of Intelligence and Security (MOIS) has been identified, focusing its efforts on critical sectors in the Middle East, including financial institutions, government entities, military operations, and telecommunications. According to findings from Israeli cybersecurity firm Check Point, in collaboration with Sygnia, this campaign has been underway for at least a year and is being tracked under the name “Scarred Manticore”. This group appears to intersect with an emergent cluster known as “Storm-0861,” which is previously identified for its involvement in cyberattacks against the Albanian government.
Victims of Scarred Manticore span several nations, including Saudi Arabia, the United Arab Emirates, Jordan, Kuwait, Oman, Iraq, and Israel. This extensive targeting strategy indicates a deliberate focus on key regional players. Further analysis showed notable overlaps between Scarred Manticore and another Iranian hacking group, OilRig, which has been implicated in attacks against an unnamed Middle Eastern government over an eight-month period in 2023.
Research from Check Point reveals that Scarred Manticore employs a variety of tactics, including the use of a previously unidentified passive malware framework called LIONTAIL, specifically designed to infiltrate Windows servers. This advanced framework features custom shellcode loaders and payloads, allowing attackers to execute commands through HTTP requests without triggering conventional security measures. The malware’s stealthy nature is enhanced by its use of IOCTL calls to interact directly with the HTTP.sys driver, as opposed to standard APIs, thereby evading detection mechanisms that focus on more commonly monitored traffic.
The deployment of LIONTAIL is indicative of advanced persistent threat (APT) strategies, characterized by continuous evolutionary tactics and the integration of various components. Historical tracking of Scarred Manticore’s activities shows a progression in their approach, previously utilizing different web shells and a bespoke version called FOXSHELL for backend access. Recent updates have seen the integration of the .NET-based SDD backdoor, further enabling command and control capabilities through HTTP communications.
The ongoing Israel-Hamas conflict has significantly amplified the threat landscape, providing fertile ground for both low-sophistication hacktivist groups and state-sponsored actors to launch cyber operations aimed at shaping global perceptions of the situation. The implications of these attacks are underscored by a statement from the U.S. Federal Bureau of Investigation (FBI), expressing concern that this escalating cyber activity could lead to heightened targeting of American interests and critical infrastructure.
Given the advanced techniques used by Scarred Manticore, the potential MITRE ATT&CK tactics involved in this operation likely include initial access via compromised servers, persistence through the installation of backdoors like LIONTAIL, and privilege escalation to deepen their control within victim networks. The use of tailored implants on each compromised system suggests a sophisticated understanding of evasion techniques and operational security.
In summary, the activities of Scarred Manticore highlight an ongoing threat to key sectors across multiple countries, particularly within the Middle East. The group’s advancements in malware development, coupled with a strategic focus driven by current geopolitical tensions, present significant challenges for cybersecurity professionals tasked with defending against such sophisticated threats. Business owners and stakeholders in affected sectors should remain vigilant and proactive in updating and bolstering their cybersecurity defenses in light of these developments.
