Insights, news, education and announcements from PolySwarm

MOIS Affiliated Threat Actor Using Liontail Framework

Written by The Hivemind | Nov 6, 2023 5:58:47 PM

Verticals Targeted: Government, Defense, Telecommunications, Finance, NGO, IT services  

Executive Summary

Scarred Manticore, a threat actor group associated with Iran’s MOIS, was observed using Liontail framework in an espionage campaign. 

Key Takeaways

  • Scarred Manticore, a threat actor group associated with Iran’s MOIS, was observed using the Liontail framework in an espionage campaign.
  • The threat actors were targeting government, military, telecommunications, IT services, financial, and NGO entities in the Middle East.
  • Liontail is an advanced passive malware framework that uses custom loaders.  
  • Liontail includes a backdoor component.

What is Liontail?

Check Point Research recently reported on an Iran nexus, MOIS (Ministry of Intelligence and Security) affiliated threat actor group using the Liontail framework to target government, military, telecommunications, IT services, financial, and NGO entities in the Middle East. The espionage campaign has been active for at least a year and peaked in mid-2023.

Liontail is an advanced passive malware framework that is installed on Windows servers. It uses custom loaders. To maintain stealth, Liontail implants use direct calls to HTTP.sys, the Windows HTTP stack driver, to load memory-resident payloads extracted from incoming HTTP traffic. The malware associated with Liontail seems to indicate the threat actors generate a tailor-made implant per each compromised server to make malicious activities blend in with legitimate network traffic. The Liontail backdoor component is written in C.

Liontail does not appear to overlap with any other known malware family. However, other tools used in the campaign appear to overlap with previously reported activities associated with OilRig.

Who is Scarred Manticore?

Scarred Manticore, active since at least 2019, is a threat actor group thought to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS). They are known to conduct espionage operations, pursuing high-value targets. Scarred Manticore TTPs include the use of IIS-based backdoors, web shells, custom DLL backdoors, and driver-based implants. The threat actor group’s sophistication appears to have evolved over time.

Check Point Research noted Scarred Manticore may be linked to OilRig (APT34, Helix Kitten). Some of the tools associated with Scarred Manticore potentially overlap with MOIS-sponsored destructive attacks against Albanian government entities, tracked under the DEV-0861 designation.

IOCs

PolySwarm has multiple samples associated with Liontail.

 

f4639c63fb01875946a4272c3515f005d558823311d0ee4c34896c2b66122596

4f6351b8fb3f49ff0061ee6f338cd1af88893ed20e71e211e8adb6b90e50a3b8

f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d

8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330

9117bd328e37be121fb497596a2d0619a0eaca44752a1854523b8af46a5b0ceb

1146b1f38e420936b7c5f6b22212f3aa93515f3738c861f499ed1047865549cb

 

You can use the following CLI command to search for all Liontail samples in our portal:

$ polyswarm link list -f Liontail

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.