Iran APTs Tag Team Espionage, Wiper Attacks Against Israel & Albania

  /     /     /  
Publicated : 23/11/2024   Category : security


Iran APTs Tag Team Espionage, Wiper Attacks Against Israel & Albania


Scarred Manticore is the smart, sophisticated one. But when Iran needs something destroyed, it hands the keys over to Void Manticore.



Iranian state-backed threat actors have been working closely to spy on, and then wreak havoc against, major organizations in Albania and Israel.
Irans Ministry of Intelligence and Security (MOIS)-linked Scarred Manticore (aka Storm-861),
Irans most sophisticated espionage actor
, has been spying on high-value organizations across the Middle East and beyond for some time now. The group is so effective at what it does, in fact, that an entirely different MOIS advanced persistent threat (APT) — Void Manticore (aka Storm-842) — is piggybacking off of its initial access to launch destructive campaigns of its own.
To date, Void Manticore claims to have successfully targeted more than 40 Israeli organizations, with a number of
high-profile campaigns in Albania
as well.
As described in
a blog post from Check Point Research
, the arrangement between manticores is simple, and leverages each groups strengths.
First, Scarred Manticore does the spying. Its clever, fileless Liontail malware framework allows it to quietly perform email data exfiltration, often for well over a years time.
Then, says Sergey Shykevich, threat intelligence group manager at Check Point, When there is some escalation, like with Mojahedin-e-Khalq (MEK) in Albania or with the war in Israel, theres some decisionmaker in the government that decides, Lets go burn our cyber access for espionage and instead do influence and destructive operations. And then they pass it to the other actor, focused on the same organization.
Where Scarred Manticore is incisive and subtle, Void Manticore is loud and messy.
Part of the operation is about hack-and-leaks, where Void Manticore operates under the
faketivist personas
Homeland Justice, for campaigns pertaining to Albania, and Karma, for Israel.
The groups other job is sheer demolition. Using largely basic and publicly available tooling — like remote desktop protocol (RDP) for lateral movement, and the reGeorg Web shell — it aims for an organizations files and then starts swinging. Sometimes, this involves manually deleting files and shared drives.
The group also has an arsenal of custom wipers, which can generally be thought of in two categories. Some are designed to corrupt specific files or file types, a more targeted approach.
Other Void Manticore wipers target the partition table — the part of the host system responsible for mapping out where files are located on the disk. By ruining the partition table, the data on the disk remains untouched yet inaccessible.
Organizations on the receiving end of Iranian state-level attacks might find it extra challenging to defend against two different threat actors, each with their own tools, infrastructure, tactics, techniques, and procedures (TTPs). Its a new phenomenon, Shykevich admits, so I dont think anyone has really thought deeply about this yet.
The easier path may be to focus on the initial threat, despite its greater sophistication, because espionage campaigns typically take far longer than destructive ones. Once someone encounters the destructive actor, they must operate immediately. Weve seen when the destructive actor receives access to the network, it operates almost immediately. So the timeframe, from the handoff between these two actors before the destruction starts, is very small, he says.
There are also simple defenses any organization can prepare to keep out either group. Void Manticores simplistic TTPs, for one, can generally be blocked with competent endpoint security.
Even Scarred Manticores stealthy espionage can be cut off early, at the source. In most cases, it begins its attacks by
exploiting CVE-2019-0604
, a critical but half-decade-old Microsoft Sharepoint vulnerability. So its preventable, Shykevich says. Its not like its a zero-day, or some other thing where theres zero means to prevent it.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Iran APTs Tag Team Espionage, Wiper Attacks Against Israel & Albania