Scarred Manticore, a notable force within the cyber espionage landscape, is an Iranian threat group closely linked to the Ministry of Intelligence and Security (MOIS) that has been skillfully conducting a complex espionage campaign.
The group is an Iranian nation-state threat actor known for targeting government and telecommunication sectors in the Middle East. It’s also is associated with the well-known Iranian actor OilRig, also known as APT34, EUROPIUM, and Hazel Sandstorm. Scarred Manticore is recognized for its persistent pursuit of high-profile organizations, utilizing specialized tools to gain access and systematically extract data.
The primary tool in its arsenal is LIONTAIL, an advanced passive malware framework installed on Windows servers. This campaign, peaking in mid-2023, has been operating under the radar for at least a year, targeting high-profile organizations in the Middle East, particularly in government, military, and telecommunications sectors, as well as IT service providers, financial organizations, and NGOs.
The LIONTAIL Framework: A Stealthy Conduit for Espionage
LIONTAIL, the centerpiece of Scarred Manticore’s operations, is a testament to the group’s technical sophistication. This malware framework includes custom loaders and memory-resident shellcode payloads. Its primary component, the LIONTAIL backdoor, is a lightweight yet sophisticated tool installed on Windows servers. It enables attackers to execute commands remotely through HTTP requests, setting up listeners for URLs provided in its configuration, and executing payloads from requests sent by attackers to these URLs.
The backdoor components are the main implants used in the latest intrusions by Scarred Manticore. By utilizing access from a publicly facing server, the threat actor chains a set of passive implants to access internal resources. The internal instances of the LIONTAIL backdoors either listen on HTTP(s) or, in some cases, use named pipes for remote code execution.
Installation and Configuration of LIONTAIL
The installation methods of the LIONTAIL backdoor on compromised Windows servers vary. They include standalone executables and DLLs loaded through search order hijacking by Windows services or legitimate processes. The malware exploits the absence of certain DLLs on Windows Server OS distributions, dropping the backdoor into the system folder as wlanapi.dll
or wlbsctrl.dll
. Depending on the version of Windows Server, the malicious DLL is then loaded either directly by other processes or by enabling specific services.
The malware begins by performing a one-byte XOR decryption of a structure containing its configuration. The listen_urls
field defines specific URL prefixes to which the malware listens for incoming requests. Many LIONTAIL samples contain tailor-made configurations, adding multiple custom URLs that match existing web folders on the compromised server, ensuring the malware communication blends into legitimate traffic.
The Technical Sophistication of Scarred Manticore
Scarred Manticore’s evolution in tools and capabilities demonstrates significant progress by Iranian actors over the last few years. The techniques utilized in recent operations are notably more sophisticated compared to previous activities tied to Iran. While the LIONTAIL framework itself appears to be unique, other tools used in these attacks overlap with previously reported activities, most notably linked back to historic OilRig or OilRig-affiliated clusters.
Conclusion: A Persistent and Evolving Threat
The Scarred Manticore, through its use of the LIONTAIL framework, represents a persistent and evolving threat in the realm of cyber espionage. Its focus on high-value targets and the sophistication of its tools underscore the advanced capabilities of state-sponsored actors in the digital age. The campaign’s stealth and technical intricacy highlight the need for heightened vigilance and advanced security measures, particularly for organizations in sensitive sectors.
As the cyberthreat landscape continues to evolve, the activities of groups like Scarred Manticore serve as a reminder of the ongoing and complex threats posed by nation-state actors. Understanding and mitigating these threats require a deep comprehension of the evolving tactics and tools employed by such actors, emphasizing the importance of continuous monitoring and advanced cybersecurity strategies in today’s interconnected world.