Where is Manticore hiding? In digital networks of Middle Eastern organizations.

Oct 14, 2023
The Scarred Manticore group operating in the interests of Iran has significantly improved its methods.

Check Point specialists, in collaboration with the Sygnia released information about the activities of an Iranian cybercriminal group called Scarred Manticore. It is noted that the group associated with the Ministry of Intelligence and Security of Iran, over the past year, carried out covert espionage operations in the Middle East using a framework for creating malicious programs under the code name LIONTAIL.

Scarred Manticore focuses on the sectors of government, military, telecommunications, information technology, finance and non-governmental organizations in the region, which demonstrates the targeted search and collection of valuable data.

According to the researchers, the group's tactics have evolved significantly recently: from simple attacks through web shells on Windows servers, the group has moved to using an advanced framework with a powerful set of tools that includes both proprietary and freely distributed components. This indicates an increase in the level of cyber capabilities of Scarred Manticore hackers.

The LIONTAIL framework uses custom loaders and memory-resident shellcodes that exploit undocumented driver functions. HTTP.sys, which allows Scarred Manticore operations to remain invisible in legitimate network traffic.

In addition to espionage, the group's activities can be traced to involvement in destructive attacks sponsored by MOIS against the infrastructure of the Albanian government. Long-term monitoring of the activities of Scarred Manticore indicates the desire of hackers to obtain and extract confidential data.

Concluding the report, the experts emphasize that Scarred Manticore's operations are likely to continue, expanding to other regions and targets consistent with Iran's long-term interests. Meanwhile, the complexity of detecting the LIONTAIL framework, which avoids standard monitoring methods, poses serious challenges for specialists.

National cybercrime associations continue to evolve, emphasizing the need for vigilance and enhanced cybersecurity measures to protect organizations from increasingly sophisticated and persistent attackers tactics.