threat_intelligence475 wordsRead on Arc Codex

Iran-Linked Hackers Using Modular C&C Framework in Cyberattacks

An Iran-linked advanced persistent threat (APT) actor has been using a modular command-and-control (C&C) framework in recent attacks targeting organizations in Israel, Check Point reports. Tracked as Cavern Manticore, the APT focuses on government entities and IT providers, and appears linked to Iran’s MOIS (Ministry of Intelligence and Security), with possible ties to the OilRig subgroup Lyceum (also known as Hexane and SiameseKitten). Cavern Manticore’s C&C framework includes an adaptable toolset built using .NET, with various compilation formats used across components, used as an anti-analysis layer. “This is not obfuscation in the traditional sense; there is no packer, no control-flow flattening, and no string encryption anywhere in the framework. Instead, the compilation format itself becomes the anti-analysis layer, since each of the three formats has to be reversed with a different toolchain and a different workflow, and the analyst has to context-switch between them across components,” Check Point notes. The components are used as agents and modules, separating core communication functionality from post-compromise capabilities and allowing the attackers to tailor deployments per-victim and extend their access to the compromised environments. The infection chain begins with the abuse of SysAid’s software update feature to sideload a WinDirStat DLL, which leads to the execution of the Cavern agent. After establishing command-and-control (C&C) communication, the agent fetches additional modules based on commands received from the operator. Dedicated modules support file operations, database enumeration and manipulation, LDAP brute-force, network reconnaissance and SMB brute-force, and SOCKS5 proxy and WebSocket/WSS tunneling. The agent uses both managed and native modules. The agent isolates each module into its dedicated AppDomain, which is terminated after the module is unloaded, removing them from memory to eliminate analyzable assembly artifacts. Additionally, the agent deletes all files and subdirectories in the working directory, except the communication module, config file, and log files. According to Check Point, the Cavern framework was likely built using an AI model, but code comments and typos, as well as hand-picked names and various inconsistencies between modules, suggest a human was significantly and substantively involved in the development process. As part of observed intrusions against Israeli targets, the APT used remote monitoring and management (RMM) solutions for lateral movement between victims. It also used browser-based remote desktop technologies to access victims’ environments and built-in features such as remote printing for data exfiltration. “Recent campaigns suggest that the threat actor possesses a strong understanding of the complex IT supplier chains within Israel’s cyber ecosystem. In several cases, we observed evidence of the actor moving from an initial compromised IT provider to a second-hop provider before ultimately reaching the intended target organization,” Check Point notes. Related: Cal Water Says No OT Systems Breached in Iranian Handala Cyberattack Related: LA Metro Cyberattack Linked to Iranian State-Sponsored Hackers Related: Iranian APT Targets Aviation, Software Companies With Updated Tools Related: Iranian APT Intrusion Masquerades as Chaos Ransomware Attack

How it works

Once you click Generate, Ollama reads this article and crafts 5 comprehension questions. Your answers are graded against the article content — general knowledge won't be enough. Score 70+ to count toward your certificate.

Questions are cached — you'll always get the same 5 for this article.