Iran’s Most Advanced Cyber Attack Yet [CPRadio]

Produced by p I Media. Hi i'm Ran Levy, Welcome to CP Radio. In the wake of the terrorist attack on October seventh, which claimed the lives of around one thousand, two hundred civilians in Israel and led to the capture of over two hundred more, Iran, which provides support for mass as well as related terrorist outfits like Chris Bullah in Lebanon and the Rutis in Yemen,

has over and over threatened to get involved. Its Minister of Foreign Affairs has spoken about how quote if the Zionist aggressions do not stop, the hands of all parties in the region are on the trigger and quote expansion of the scope of the war has become inevitable end quote, with the prospect of a wider war. As spotlight has turned to Iran's military capabilities, though its army isn't so feared, its nuclear capabilities are, and even before all that,

history shows we might choose to utilize the power of cyber attacks. Four years now, Iran's state sponsored hackers have been some of the most prolific in the world, but prolific does not necessarily mean sophisticated. Its attacks haven't quite impressed in the way that the US, Russia, and China's do, they are more comparable, perhaps to lesser powers like North Korea and Azerbaijan. Consider,

for example, the group Checkpoint tracks as Scarred Mandicore. Since twenty nineteen, Scarred Mandicor has been carrying out espionage campaigns in countries largely concentrated in the Middle East, sometimes successfully, but using back doors that don't look so different from what you'd see with non state sponsored cyber communal groups. Some of them appear to be modified version of publicly available tools Amittai benchushan el threat intelligence analysis team

lead at Checkpoint Research. One of them is the Tuna webshell, which is used to tunnel traffic over a webshell over at GTP. Tuna was Scarred Manticore's first known too. You can download it yourself from GitHub. Hundreds of people

have already. According to its creator, it enables a red teamer or hacker to wrap and tunnel their TCP Internet traffic, hence the name Tuna, bypassing network protections in fireworld environments, and as we deep dived into the evolution of this specific Tuna webshell, we saw that they implemented their own mechanisms into it and slowly started giving it their own versioning and embedding additional functionalities within it.

As Scarred Manicore iterated on Tuna in bits and PA, over time, it began to look different enough to be considered its own malware checkpoint, named the modified Tuna backdoor Foxshell, fox Shehell became a favorite go to weapon. Over time, it turned into a very unique backdoor, a very unique webshell that

was also used in a text against Albania as reported by CISA. We were also able to tie that some of the webshells and internal DLLs that are used as resources in it to another backdoor that was used in the Middle East called the SDD backdoor, a backdoor that was used in targeted attacks in Saudi Arabia. It seems it was analyzed by a Saudi researcher that we referencing the report and most recently it was tied to sophisticated the implant called wind Topics, which

is a driver based implant that was reported by Fortinet. Showing the evolution. You know, we started from this open source webshell Tuna, slowly turning it into something custom, adding more functionalities, ending internal resources. Then we see the backdoor, the acidy vector, and then the wind tapic drivers actually takes the best of those bursts of both words and embeds them into this sophisticated implant that utilizes the driver to inject code and hide functionalities. Fact show was,

in retrospect, a harbinger of things to come. Whereas the Iranian threat actor started off at a level akin to ordinary cyber communal groups. Here they were demonstrating that they could distinguish their work, that they could create a unique and powerful mailware tool capable enough to be used in successful campaigns across a number of

countries. And then just recently, Iran arguably truly announced itself as a global CyberPower, and a campaign recently uncovered by three cybersecurity groups Checkpoint, Signia and Cisco Talus, Scarred Manticore, unleashed tools and tactics unlike anything we've seen from the Islamic Republic before. If before they were at the kid's table, this latest campaign suggests that they might have just moved up. The story of this

campaign begins with a dynamic link library or DLL. DLLs are shared libraries groupings of code stored in memory that can be evoked by any given application. They're terribly useful since there are certain things lots of programs need to be able to do, and it wouldn't be all that efficient if every one of them needed the code to do it. It's like how every person needs to be able to use the bathroom, but not every person in your office needs their own

individual bathroom as much as i'd of my own office bathroom. By having a couple that everyone shares, you save a massive amount of square footage and everybody still gets to poop. Plus it's much easier for the janitor to replace the soap or toilet paper if he doesn't have to run around doing it in twenty different bathrooms. DLLs are useful and utterly normal on every PC. But the DLL an Italianist colleagues who were facing was not your average file. So when

we came across the DLL, it was very strange to us. It was located in the system thirty two, which is a legitimate path besides the folder system thirty two. The DLL file names themselves also seemed rather ordinary. There was WLBS control dot DLL and w LANAPI dot DLL. W LAN, of course, is very basic and ubiquitous Wi Fi technology. In other words, these were the kinds of folders and files you find everywhere on any PC.

Usually, if you're looking for something in particular, like malware, you'll scroll past them without thinking twice. And as we deep dived into the artifact related to what we found, we saw that the dls really were sideloaded by a legitimate service, a side loaded DLL. This is something you hear a lot

about nowadays, but it wasn't always so. For years, when they wanted to load malware on your computer, hackers sent Microsoft Office files where it documents, Excel files, and so on, containing malicious macros, which are shortcuts for running custom code. If you okay the macros in a phishing file, you open the window for hackers to plant, say a malware loader on your computer, which could retrieve and execute a backdoor ransomware, or anything else you

can imagine. But on the episode how Microsoft changed cyberspace with one decision were discussed on this podcast how after years of macro abuse, Microsoft decided to block Internet downloaded macros by default. Hackers now needed new ways to get malware on your machine. One of the most popular alternatives they've since landed on is DLL sideloading. Instead of a file hiding malware, the attacker sends the victim a

legitimate program with an illegitimate DLL. Any executable program will come with a manifest, a kind of a rule book that specifies which DLLs will load and in what order. If these instructions aren't specific enough, though, hackers can take advantage sneaking their dirty code inside of a DLL that basically fits the bill. So you're running a totally normal software program, but unbeknownst to you or your

computer, the program loads and attackers malware. In this case, Scarred Manticore did one better, taking advantage of an absence of certain DLLs in certain Windows servers OS versions. So a program that looks to evoke the DLL in question shouldn't find it in such distributions, but in this case, it thinks it does, and it's the attackers code. This required an intimate knowledge of the

operating system to an agree not many people anywhere really have. At this point, I think we realized that this was a very unique kind of attack, and a very sophisticated one. But this was only the very beginning of the attack. Even more sophisticated tricks were it to come. When we looked into the DLL itself, like after we understand how it was loaded and now the attack was carried out, we also saw that it uses some interesting features that

are undocumented in the Windows operating system. Again, the attackers were toying not with ordinary software, but the fundamental functions of the OS itself. If a Windows PC were the Earth, they were way way below the surface, digging at its core. More specifically, it was using undocumented cores of the HTTPCS driver, which is the Windows driver that handles all the incoming HTP requests for

Windows servers. The way that it happens in the background is that actually cause internal functionalities of the operating systems that are not supposed to be used by users like me and you. Even a programmers shouldn't access those kinds of functionalities directly. To reiterate, not only were scarred manticore manipulating httis a kernel level driver that nobody, even programmers, are supposed to touch, but they were engaging

with undocumented features within it. Totally unprecedented stuff because this kind of method, specifically involving the GTPCS driver, was never observed in the wild, and we had to try to understand ourselves how it works and what happens because it's not documented anywhere. It's not a legitimately documented functionality of this driver. Specifically, the malware utilized device input and output controls or ioctls, which enable an application

to interface directly with a driver. The attackers had absolutely no business knowing about the HTP dot CS ioctls, and it allowed their malicious code to skip anything in between them and this kernel level driver. This direct line to the heart of a PC was just powerful. It made the attack substantially more difficult to

identify and rooted out. Usually security measures are monitoring the legitimate kind of calls the API calls for such things, so an advanced attacker usually tries to go lower in the operating system to try to fascillate those kind of functionalities that are not legitimate and not shouldn't be used by normal users. If you're not yet convinced how cutting edge this attack path was, here's something to consider. We

don't even know how they did all this. After all their investigating in collaboration with a second cybersecurity company as well. Amitaianist colleagues can only take guesses at house card maticore managed to get that kind of access and do what they did.

It's quite hard to tell what was the process behind it, but they would eventually need to either reverse engineered the driver itself to understand the undocumented functionalities in it, which would require knowledge and understanding of reverse engineering, or they could do some trial and error, which is less likely to be successful. The way that they carried out suggest that they knew exactly what they were doing, so I would assume they probably had to reverse engineer some of the Windows

driver. Amid all this groundbreaking technical wizardry, you might have forgotten that we haven't even gotten to what the hackers malware actually did. Yet, it too did something novel. Picture a bit of mailware latching onto the HTTP dot sys driver like a parasite. By fascinating the https's driver, they were intercepting incoming connections. The parasitic malware placed just above the driver intercepted incoming HTTP traffic, so if a user, say, visited a website, mailware was the first

to know about it. The point of this, though, was to listen for a very particular request, a request with a specific URL prefix defined by the attackers. If such a URL was evoked, the malware would intercept the message, decode it, and from the HTTP requests initiated by the attackers they extracted payloads and in memory, they decrypted those and loaded a set of shell codes which appeared to be part of a larger framework of malware that we dubbed

Liontail. Liontail is the name we'll use to describe the whole category of malware used in this campaign, from the payload loader to the many other tools it contained Therein, using this framework could carry out a lot of kind of activities.

We've seen them do credential harvesting, We've seen them do reconnaissance. We saw them use this framework to run commands, running commands, uploading and downloading files, and various other info stealing related activities like credential harvesting and lateral movement over the target network. And being a framework, lion Tail contained some parts

it could evoke or ignore based on the system it was running on. For example, one of the back doors that we reported on is something that we call Lionhead, which is some sort of web forwarder that is installed on exchange servers, and what it does is actually fascinating. The same functionality of the htpc's driver to forward incoming requests to specific exchange end points. Essentially, Lionhead was to email what then on tail backdoor we described was two HTTP and by

doing so it allows the threat actor to easily download mails. The robustness of lion Tail and the remarkable means Scarred Manticore used to plant it on target systems allowed the group to run through some serious victims. The campaigns included attacks across Israel, Iraq, Jordan, Kuwait, Oman, Saudi Arabia, and the United Arab Emirates. Each one of the targets was extremely interesting and very relevant

to the Iranian cause. We're seeing governmental organizations, we're seeing military organizations, and we're seeing a lot of telecommunications organizations that are targeted by Scart, mendicor. This is very telling of their goals of collection and espionage. It's not yet known what the group might have stolen from any one of these targets,

but these details are almost beside the point. Some of those targets were interesting also in that aspect that you wouldn't think it's very easy to infiltrate those kind of organizations. I'm sure it wasn't easy, but those guys managed to do so, which indicates how good they are. Scarred Mandicore is now very sophisticated,

and that in itself has broader implications. I've been looking at Iranian threat actors for quite some times, and I could say that the evolution of Scarred Menicore specifically is worrying in the sense that they are starting to create like costum tools that are not trivial. Even if Vranian actors in the past have created their own Tuesday were always, you know, a little bit more of the same. You had backdoors that are more sophisticated. Some of them started to

use like emails as exfiltration channel in the more sophisticated one. But seeing this actor or that utilizes undocumented functionalities of drivers, for example, is something that I haven't seen personally in any Iranian group. And considering the fact that we see where it started in twenty nineteen from an open source webshell to where it is today, that's quite a thing to consider. In only four years,

Scarred Manticore went from forgettable to groundbreaking. The impact that could have on the cybersecurity landscape and geopolitics more generally are significant because it's not like we're talking about no way of the size shells here, we have evidence that in the path

their access was actually utilized to conduct destructive attacks. Certain weapons in Scarred Manticore's toolset overlap with those used by the Iranian state hackers known as Homeland Justice in a campaign against Albania in May of That case might have appeared like espionage at first, as the attackers spent over a year moving within their target networks and expeltrating sensitive data, but then all at once they deployed ransomware and wiper manware,

taking down government websites and services, posting political messages and leaking sensitive data. Even those kinds of stealthy attacks and spionage motivated thread actors sometimes utilize their access for destructive means. And that's important to remember because the fact that this thread actor has been in your network and collected information for a certain period of time does not mean that one day it won't exploit in your network and like

start deploying wipers and ransomware. And we actually seen some indications that this is happening in Israel as well. We haven't covered it in the report yet, but we do know that some of the confirmed Scared Menicore's victims experienced destructive attacks in Israel, wiper attacks and leakage in some of using some fake personas. As Iran loves cyberbombs into Israel and the rest of the Middle East, everybody

will be forced to take notice or else. I think a lot of researchers don't fully understand the evolution that we're seeing from Iranian actors over the last few years. In the realm of like the Big Four, like Iran, North Korea, Russia, and China. Iran is also has always looked as like the kitten, the non harming, very simple, very unsophisticated threat actor, which was true at a certain point, but I think this one Scared Manicore

completely changes that. I think in certain aspect it's more sophisticated than a lot of Chinese, Russian or North Korean actors that I've analyzed in the past, and that's important to remember. Like a lot of times, I had this debate with my friends over the term APT like advanced persistent threat, which turned into a name for any state sponsored actor in the cyber threat intelligence field,

but originally meant like very advanced attackers. And my friends who aren't really deep into intelligence or like, you can't call Iranian actors apts because they're not really advanced, and I think this one completely shatters this perception of Iranian actors. That's it for this episode. Thank you for listening. For past episodes, visit Checkpoints Research blog at research dot checkpoint dot com and you can follow Checkpoint

Research on there or follow me at ed rand Levy. That's r A n L e v I CEPY Radio is produced by p I Media, written by Nate Nielson, produced by Hila Shemish, and edited and narrated by Rand Levy. See you next time. Bye bye m