An ongoing Iranian espionage campaign led by Scarred Manticore, an actor associated with the Ministry of Intelligence and Security (MOIS), has been observed targeting high-profile organizations in the Middle East, particularly in the government, military and telecommunications sectors. Its targets also include IT service providers, financial organizations and non-governmental organizations (NGOs).
Discovered by Check Point Research (CPR) and Sygnia’s Incident Response Team, the campaign peaked in mid-2023 and has reportedly flown under the radar for at least a year.
Writing in an advisory published earlier today, the CPR team said Scarred Manticore has a history of targeting high-value organizations, using various Internet Information Services (IIS)-based backdoors to infiltrate Windows servers. Their primary objective is espionage, but some of their tools were associated with an MOIS-sponsored destructive attack on Albanian government infrastructure (associated with DEV-0861).
In this latest campaign, Scarred Manticore employed the LIONTAIL framework, a complex set of custom loaders and various memory-resident shell code payloads. These implants use undocumented functions of the HTTP.sys driver to extract payloads from incoming HTTP traffic, making their malicious activities blend in with legitimate network traffic.
The LIONTAIL framework is unique, with no clear code overlaps with known malware families. While some tools used in the attacks overlap with previous activities linked to OilRig or OilRig-affiliated clusters, it’s challenging to attribute Scarred Manticore directly to OilRig.
Read more on OilRig: State-Backed APT Group Activity Continuing Apace
According to CPR, the evolution of Scarred Manticore’s tools and capabilities signifies the progress Iranian threat actors have made in recent years, with more sophisticated techniques observed in their recent operations compared to their previous activities.
“We expect that Scarred Manticore operations will persist and may spread into other regions as per Iranian long-term interests,” reads the CPR advisory.
“While most of the recent activity of Scarred Manticore is primarily focused on maintaining covert access and data extraction, the troubling example of the attack on the Albanian government networks serves as a reminder that nation-state actors may collaborate and share access with their counterparts in intelligence agencies.”