Iranian Hackers "Educated Manticore" Target Israel With New Tools

A new Iranian-aligned threat actor dubbed Educated Manticore has been observed targeting individuals in Israel with new tactics and tools.

Security experts at Check Point Research (CPR) described the findings in a new advisory published today, that also linked Educated Manticore hackers to the well-known advanced persistent threat (APT) group known as Phosphorus.

Read more on Phosphorus here: Iran Spear-Phishers Hijack Email Conversations in New Campaign

“The research presents a new and improved infection chain leading to the deployment of a new version of PowerLess. This implant was attributed to Phosphorus in the past,” reads the technical write-up. 

CPR explained that while the PowerLess payload deployed by Educated Manticore was similar to that of Phosphorus, its loading mechanisms have significantly improved, now relying on techniques rarely seen in the wild, including using .NET binary files created in mixed mode with C++ code.

“The newly discovered version is likely intended for phishing attacks focused around Iraq, using an ISO file to initiate the infection chain,” the company wrote. “Other documents inside the ISO file were in Hebrew and Arabic [...] suggesting the lures were aimed at Israeli targets.”

As part of CPR’s investigation into Educated Manticore, the security experts analyzed two separate lures, which they attributed with medium confidence to the same threat actor.

The CPR advisory analyzed both lures in detail but warned that attacks carried out as a result of these infections are yet to be observed in the wild.

“Because it is an updated version of previously reported malware, PowerLess, associated with some of Phosphorus’ Ransomware operations, it is important to note that it might only represent the early stages of infection, with significant fractions of post-infection activity yet to be seen in the wild.”

The CPR findings come days after Microsoft published an advisory describing a separate threat actor, also reportedly associated with Phosphorus campaigns.

What’s Hot on Infosecurity Magazine?