IIS-based Backdoors

A new threat actor who is found to be associated with Iran’s Ministry of Intelligence and Security (MOIS) IIS has been discovered to be conducting cyberespionage campaigns. Their targets are government, military, financial, and telecommunication sectors in the Middle East. 

This threat actor has been tracked under the name Scarred Manticore and closely overlaps two other threat actors, Storm-0861 and OilRig. Moreover, their victims have been reported in several countries, such as Saudi Arabia, the United Arab Emirates, Jordan, Kuwait, Oman, Iraq, and Israel.

EHA

LIONTAIL Framework

For their malware activities, Scarred Manticore uses the novel malware framework LIONTAIL. This malware framework includes a set of custom shellcode loaders, memory resident shellcode payloads, and a backdoor written in C.

This backdoor is installed on Windows servers, which enables threat actors to execute remote commands through HTTP requests. Additionally, the backdoor also sets up listeners for the list of URLs provided in its configuration and executes payloads from requests sent by the threat actors to those specific URLs.

Source: Checkpoint Research
LIONTAIL Framework Source: Checkpoint Research

Existence Since 2019

This threat actor has been active since at least 2019. They have deployed several tools on compromised Windows servers that are Internet-facing belonging to organizations in the Middle East region.

Moreover, their toolset seems to have gone through significant development; it began as an open-source-based web-deployed proxy and has evolved to become a diverse and powerful toolset that utilizes both custom-written and open-source components.

Evolution of their toolset since 2019 (Source: Checkpoint Research)
Evolution of their toolset since 2019 (Source: Checkpoint Research)

However, a complete report about this threat actor has been published by Checkpoint, which provides detailed information about the threat actor’s behavior, code analysis, initial access, C&C communication, attack methods, and other details.

Indicators of Compromise

  • daa362f070ba121b9a2fa3567abc345edcde33c54cabefa71dd2faad78c10c33
  • f4639c63fb01875946a4272c3515f005d558823311d0ee4c34896c2b66122596 
  • 2097320e71990865f04b9484858d279875cf5c66a5f6d12c819a34e2385da838
  • 67560e05383e38b2fcc30df84f0792ad095d5594838087076b214d849cde9542 
  • 4f6351b8fb3f49ff0061ee6f338cd1af88893ed20e71e211e8adb6b90e50a3b8
  • f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d 
  • 1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e 
  • 8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330
  • c5b4542d61af74cf7454d7f1c8d96218d709de38f94ccfa7c16b15f726dc08c0 
  • 9117bd328e37be121fb497596a2d0619a0eaca44752a1854523b8af46a5b0ceb 
  • e1ad173e49eee1194f2a55afa681cef7c3b8f6c26572f474dec7a42e9f0cdc9d 
  • a2598161e1efff623de6128ad8aafba9da0300b6f86e8c951e616bd19f0a572b 
  • 7495c1ea421063845eb8f4599a1c17c105f700ca0671ca874c5aa5aef3764c1c 
  • 6f0a38c9eb9171cd323b0f599b74ee571620bc3f34aa07435e7c5822663de605 
  • 3875ed58c0d42e05c83843b32ed33d6ba5e94e18ffe8fb1bf34fd7dedf3f82a7 
  • 1146b1f38e420936b7c5f6b22212f3aa93515f3738c861f499ed1047865549cb 
  • b71aa5f27611a2089a5bbe34fd1aafb45bd71824b4f8c2465cf4754db746aa79 
  • da450c639c9a50377233c0f195c3f6162beb253f320ed57d5c9bb9c7f0e83999

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.

Eswar
https://cybersecuritynews.com/
Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.