The Israeli cybersecurity firm, Check Point, recently discovered a cyber espionage campaign being waged by threat actors with ties to Iran’s Ministry of Intelligence and Security (MOIS).
These attacks come as the war in Israel wages on — militant hacktivist activity ramped in and hackers are launching more brazen attacks than ever. The threat actor, being dubbed “Scarred Manticore” carried out malware attacks on various countries in the Middle East, including Saudi Arabia, Israel, The United Arab Emirates, and Iran.
The attackers take control of public-facing Windows servers, infiltrating the systems by various means. Once inside, they employ malware that allows them to steal data from the host.
“Instead of using the HTTP API, the malware uses IOCTLs to interact directly with the underlying HTTP.sys driver,” explains researchers.
Each server implant deployment is tailor-made for the job, which stands out, even among advanced hackers. Attacks were methodical and preyed on individual vulnerabilities within each server.
“This approach is stealthier as it doesn’t involve IIS or HTTP API, which are usually closely monitored by security solutions, but is not a straightforward task given that the IOCTLs for HTTP.sys are undocumented and require additional research efforts by the threat actors.”
The attacks and methods resemble the Iranian nation-state crew, OilRig, who launched an eight-month-long campaign on a country in the Middle East between February and September 2023.
There’s also overlap with Shrouded Snooper, a group that attacks telecom companies in the Middle East using a tool called HTTPSnoop. Parts of their malware framework, LIONTAIL used HTTPSnoop (as well as FOXSHELL, SDD backdoor, and WINTAPIX drivers) to carry out the attack.
The hacks threaten to worsen an already precarious situation. Hackers backed by state organizations are attempting to change global perceptions of the conflicts can undermine government action and rile people up.
Nations around the world are racing to improve their cybersecurity defenses, as massive attacks like this continue to ramp up internationally.