Iranian APT Group Utilize IIS-based Backdoors to Compromise Windows servers
-1.webp "IIS-basically based Backdoors")
A brand unique possibility actor who’s stumbled on to be associated to Iran’s Ministry of Intelligence and Safety (MOIS) IIS has been found to be conducting cyberespionage campaigns. Their targets are authorities, military, monetary, and telecommunication sectors in the Center East.
This possibility actor has been tracked below the title Scarred Manticore and carefully overlaps two other possibility actors, Storm-0861 and OilRig. Furthermore, their victims catch been reported in numerous international locations, equivalent to Saudi Arabia, the United Arab Emirates, Jordan, Kuwait, Oman, Iraq, and Israel.
LIONTAIL Framework
For their malware activities, Scarred Manticore uses the radical malware framework LIONTAIL. This malware framework encompasses a living of custom shellcode loaders, memory resident shellcode payloads, and a backdoor written in C.
This backdoor is set up in on Windows servers, which enables possibility actors to function a long way flung commands through HTTP requests. Additionally, the backdoor also sets up listeners for the list of URLs equipped in its configuration and executes payloads from requests sent by the possibility actors to those explicit URLs.
Existence Since 2019
This possibility actor has been active since no much less than 2019. They’ve deployed several tools on compromised Windows servers that are Net-facing belonging to organizations in the Center East relate.
Furthermore, their toolset looks to catch long past through predominant improvement; it started as an originate-provide-basically based net-deployed proxy and has evolved to alter correct into a diverse and strong toolset that makes use of both custom-written and originate-provide substances.
However, an whole file about this possibility actor has been published by Checkpoint, which offers detailed data about the possibility actor’s conduct, code prognosis, preliminary access, C&C verbal replace, attack solutions, and other particulars.
Indicators of Compromise
- daa362f070ba121b9a2fa3567abc345edcde33c54cabefa71dd2faad78c10c33
- f4639c63fb01875946a4272c3515f005d558823311d0ee4c34896c2b66122596
- 2097320e71990865f04b9484858d279875cf5c66a5f6d12c819a34e2385da838
- 67560e05383e38b2fcc30df84f0792ad095d5594838087076b214d849cde9542
- 4f6351b8fb3f49ff0061ee6f338cd1af88893ed20e71e211e8adb6b90e50a3b8
- f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d
- 1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e
- 8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330
- c5b4542d61af74cf7454d7f1c8d96218d709de38f94ccfa7c16b15f726dc08c0
- 9117bd328e37be121fb497596a2d0619a0eaca44752a1854523b8af46a5b0ceb
- e1ad173e49eee1194f2a55afa681cef7c3b8f6c26572f474dec7a42e9f0cdc9d
- a2598161e1efff623de6128ad8aafba9da0300b6f86e8c951e616bd19f0a572b
- 7495c1ea421063845eb8f4599a1c17c105f700ca0671ca874c5aa5aef3764c1c
- 6f0a38c9eb9171cd323b0f599b74ee571620bc3f34aa07435e7c5822663de605
- 3875ed58c0d42e05c83843b32ed33d6ba5e94e18ffe8fb1bf34fd7dedf3f82a7
- 1146b1f38e420936b7c5f6b22212f3aa93515f3738c861f499ed1047865549cb
- b71aa5f27611a2089a5bbe34fd1aafb45bd71824b4f8c2465cf4754db746aa79
- da450c639c9a50377233c0f195c3f6162beb253f320ed57d5c9bb9c7f0e83999
Source credit : cybersecuritynews.com
