Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa.

'Scarred Manticore' Unleashes the Most Advanced Iranian Cyber Espionage Yet

The government-backed APT's new malware framework represents a step up in Iran's cyber sophistication.

3 Min Read
A manticore
Source: The History Collection via Alamy Stock Photo

An Iranian state-sponsored threat actor has been spying on high-value organizations across the Middle East for at least a year, using a stealthy, customizable malware framework.

In a report published on Oct. 31, researchers from Check Point and Sygnia characterized the campaign as "notably more sophisticated compared to previous activities" tied to Iran. Targets thus far have spanned the government, military, financial, IT, and telecommunications sectors in Israel, Iraq, Jordan, Kuwait, Oman, Saudi Arabia, and the United Arab Emirates. The exact nature of the data stolen thus far is not publicly known.

The group responsible — tracked as "Scarred Manticore" by Check Point, and "Shrouded Snooper" by Cisco Talos — is linked with Iran's Ministry of Intelligence and Security. It overlaps with the famous OilRig (a.k.a. APT34, MuddyWater, Crambus, Europium, Hazel Sandstorm), and some of its tools were observed in a dual ransomware and wiper attacks against Albanian government systems in 2021. But its newest weapon — the "Liontail" framework, which takes advantage of undocumented functionalities of the HTTP.sys driver to extract payloads from incoming traffic — is all its own.

"It's not just separate Web shells, proxies or standard malware," explains Sergey Shykevich, threat intelligence group manager at Check Point. "It's a full-scale framework, very specific to its targets."

Scarred Manticore's Evolving Tools

Scarred Manticore has been attacking Internet-facing Windows servers at high-value Middle East organizations since at least 2019.

In its earlier days, it used a modified version of the open source Web shell Tunna. Forked 298 times on GitHub, Tunna is marketed as a set of tools which tunnel TCP communications via HTTP, bypassing network restrictions and firewalls along the way.

Over time, the group made enough changes to Tunna that researchers tracked it under the new name "Foxshell." It also made use of other tools, like a .NET-based backdoor designed for Internet Information Services (IIS) servers, first uncovered but unattributed in February 2022.

After Foxshell came the group's latest, greatest weapon: the Liontail framework. Liontail is a set of custom shellcode loaders and shellcode payloads that are memory-resident, meaning they're fileless, written into memory, and therefore leave little discernible trace behind.

"It's highly stealthy, because there's no big malware that's easy to identify and prevent," explains Shykevich. Instead, "it's mostly PowerShell, reverse proxies, reverse shells, and very customized to targets."

Detecting Liontail

Liontail's stealthiest feature, though, is how it evokes payloads with direct calls to the Windows HTTP stack driver HTTP.sys. First described by Cisco Talos in September, the malware essentially attaches itself to a Windows server, listening for, intercepting, and decoding messages matching specific URL patterns determined by the attacker.

In effect, says Yoav Mazor, incident response team leader with Sygnia, "it behaves like a Web shell, but none of the traditional Web shell logs are actually written."

According to Mazor, the primary tools that helped reveal Scarred Manticore were Web application firewalls and network-level tapping. And Shykevich, for his part, emphasizes the importance of XDR for snuffing out such advanced operations.

"If you have a proper endpoint protection, you can defend against it," he says. "You can look for correlations between the network level and the endpoint level — you know, anomalies in traffic with Web shells and PowerShell in the endpoint devices. That's the best way."

About the Author(s)

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights