An Iranian state-sponsored threat actor has been spying on high-value organizations across the Middle East for at least a year, using a stealthy, customizable malware framework.
In a report published on Oct. 31, researchers from Check Point and Sygnia characterized the campaign as “notably more sophisticated compared to previous activities” tied to Iran. Targets thus far have spanned the government, military, financial, IT, and telecommunications sectors in Israel, Iraq, Jordan, Kuwait, Oman, Saudi Arabia, and the United Arab Emirates. The exact nature of the data stolen thus far is not publicly known.
The group responsible — tracked as “Scarred Manticore” by Check Point, and “Shrouded Snooper” by Cisco Talos — is linked with Iran’s Ministry of Intelligence and Security. It overlaps with the famous OilRig (a.k.a. APT34, MuddyWater, Crambus, Europium, Hazel Sandstorm), and some of its tools were observed in a dual ransomware and wiper attacks against Albanian government systems in 2021. But its newest weapon — the “Liontail” framework, which takes advantage of undocumented functionalities of the HTTP.sys driver to extract payloads from incoming traffic — is all its own.
“It’s not just separate Web shells, proxies or standard malware,” explains Sergey Shykevich, threat intelligence group manager at Check Point. “It’s a full-scale framework, very specific to its targets.”
Scarred Manticore’s Evolving Tools
Scarred Manticore has been attacking Internet-facing Windows servers at high-value Middle East organizations since at least 2019.
In its earlier days, it used a modified version of the open source Web shell Tunna. Forked 298 times on GitHub, Tunna is marketed as a set of tools which tunnel TCP communications via HTTP, bypassing network restrictions and firewalls along the way.
Over time, the group made enough changes to Tunna that researchers tracked it under the new name “Foxshell.” It also made use of other tools, like a .NET-based backdoor designed for Internet Information Services (IIS) servers, first uncovered but unattributed in February 2022.
After Foxshell came the group’s latest, greatest weapon: the Liontail framework. Liontail is a set of custom shellcode loaders and shellcode payloads that are memory-resident, meaning they’re fileless, written into memory, and therefore leave little discernible trace behind.
“It’s highly stealthy, because there’s no big malware that’s easy to identify and prevent,” explains Shykevich. Instead, “it’s mostly PowerShell, reverse proxies, reverse shells, and very customized to targets.”
Detecting Liontail
Liontail’s stealthiest feature, though, is how it evokes payloads with direct calls to the Windows HTTP stack driver HTTP.sys. First described by Cisco Talos in September, the malware essentially attaches itself to a Windows server, listening for, intercepting, and decoding messages matching specific URL patterns determined by the attacker.
In effect, says Yoav Mazor, incident response team leader with Sygnia, “it behaves like a Web shell, but none of the traditional Web shell logs are actually written.”
According to Mazor, the primary tools that helped reveal Scarred Manticore were Web application firewalls and network-level tapping. And Shykevich, for his part, emphasizes the importance of XDR for snuffing out such advanced operations.
“If you have a proper endpoint protection, you can defend against it,” he says. “You can look for correlations between the network level and the endpoint level — you know, anomalies in traffic with Web shells and PowerShell in the endpoint devices. That’s the best way.”