An ongoing Iranian espionage campaign attributed to Scarred Manticore, believed to have connections with the Ministry of Intelligence and Security (MOIS), has been uncovered, focusing on high-profile organizations in the Middle East.
Furthermore, the targets encompass government, military, telecommunications sectors, along with IT service providers, financial institutions, and non-governmental organizations (NGOs). The campaign, detected by Check Point Research (CPR) and Sygnia’s Incident Response Team, reached its peak in mid-2023 and had reportedly operated stealthily for at least a year.
Additionally, Scarred Manticore’s history of targeting high-value organizations is marked by the use of Internet Information Services (IIS)-based backdoors to infiltrate Windows servers, primarily for espionage. Some of their tools were linked to an MOIS-sponsored destructive attack on Albanian government infrastructure (connected with DEV-0861).
In their latest campaign, Scarred Manticore employed the sophisticated LIONTAIL framework, which includes custom loaders and memory-resident shell code payloads. These implants extract payloads from incoming HTTP traffic using undocumented functions of the HTTP.sys driver, enabling their malicious activities to blend seamlessly with legitimate network traffic.
The LIONTAIL framework stands out as unique, showing no code overlaps with known malware families. While some tools used in these attacks overlap with previous activities associated with OilRig or OilRig-affiliated clusters, attributing Scarred Manticore directly to OilRig remains challenging. This campaign’s sophistication reflects the evolving capabilities of Iranian threat actors, surpassing their prior activities. According to CPR, these operations are expected to persist and may expand into other regions based on Iranian long-term interests.
Notably, the attack on Albanian government networks serves as a reminder that nation-state actors may collaborate and share access with intelligence agencies counterparts, underscoring the collaborative and evolving nature of these cyber threats.