Threat Research

Mantis: New Tooling Used in Attacks Against Palestinian Targets

Securonix

The Mantis threat group (Arid Viper/Desert Falcon) continues targeting Palestinian organizations with a refreshed toolset and a persistent presence across networks. The campaign centers on updated Micropsia and Arid Gopher backdoors, credential theft, and data exfiltration, with a multi-variant approach to avoid disruption. #Mantis #AridViper #DesertFalcon #PalestinianTargets #Micropsia #AridGopher

Keypoints

  • The Mantis group has been active since at least 2014 (some sources suggest 2011).
  • Targets span multiple Middle Eastern sectors, including government, military, financial, media, education, energy, and think tanks.
  • The latest campaign focused on Palestinian territories, beginning in Sept 2022 and continuing at least through Feb 2023.
  • Attacks rely on updated Micropsia and Arid Gopher backdoors to compromise hosts, followed by credential theft and data exfiltration.
  • Three distinct toolset variants were deployed on three groups of computers within one organization to maintain persistence if one variant was discovered.
  • Micropsia is executed via PowerShell, uses WMI, and can take screenshots, capture keystrokes, and archive files for exfiltration.

MITRE Techniques

  • [T1566.001] Spearphishing via Attachment – Used spear-phishing emails to lure targets into installing malware on their devices. ‘The group is known for employing spear-phishing emails and fake social media profiles to lure targets into installing malware on their devices.’
  • [T1059.001] Command and Scripting Interpreter: PowerShell – Three distinct sets of obfuscated PowerShell commands were executed to load a Base64-encoded string. ‘Three distinct sets of obfuscated PowerShell commands were executed to load a Base64-encoded string.’
  • [T1105] Ingress Tool Transfer – A stage was downloaded from a C2 server via a basic TCP-based protocol. ‘a 32-bit stager that downloaded another stage using basic TCP-based protocol from a command-and-control (C&C) server: 104.194.222[.]50 port 4444.’
  • [T1003] Credential Dumping – Attackers dumped credentials before downloading Micropsia and Putty. ‘dump credentials before downloading the Micropsia backdoor and Putty’
  • [T1027] Obfuscated/Compressed Files and Information – Micropsia and associated tools were obfuscated (e.g., PyArmor). ‘obfuscated with PyArmor.’
  • [T1547.001] Boot or Logon Autostart: Registry Run Keys – Persistence via registry Run keys. ‘SetRegRunKey.exe that provided persistence by adding Arid Gopher to the registry so that it executed on reboot.’
  • [T1047] Windows Management Instrumentation – Micropsia executed using WMI. ‘Micropsia is executed using WMI’
  • [T1113] Screen Capture – Taking screenshots as part of data collection. ‘taking screenshots’
  • [T1056.001] Keylogging – Keylogging functionality observed in Micropsia.
  • [T1560.001] Archive Collected Data – Archiving files with WinRAR for exfiltration. ‘archiving certain file types using WinRAR in preparation for data exfiltration’
  • [T1090] Proxy – Use of reverse SOCKs tunnel to external IPs for C2 communications. ‘Reverse SOCKs Tunneler (aka Revsocks) (file name: windowsserv icemanageav.exe)’; ‘connects to external addresses … likely to register device/receive commands’
  • [T1041] Exfiltration – Data exfiltration via compressed archives to C2 channels. ‘exfiltration of a RAR file’
  • [T1133] External Remote Services – Use of Putty (SSH client) to facilitate remote access during the campaign. ‘Putty, a publicly available SSH client’

Indicators of Compromise

  • [IP Address] – 104.194.222.50 (C2 stage delivery, port 4444)
  • [IP Address] – 79.133.51.134 (C2 registration/command path)
  • [IP Address] – 146.19.233.32 (C2 registration/command path)
  • [Domain] – jumpstartmail.com (C2 registration/command path)
  • [Domain] – salimafia.net (C2 registration/command path)
  • [File Name] – csidl_common_appdatasystempropertiesinternationaltimesystempropertiesinternationaltime.exe
  • [File Name] – csidl_common_appdatawindowsnetworkmanagerwindowsnetworkmanager.exe
  • [File Name] – csidl_common_appdatawindowspswindowsps.exe
  • [File Name] – windowspackages.exe
  • [File Name] – hostupbroker.exe
  • [File Name] – localsecuritypolicy.exe
  • [File Name] – networkswitcherdatamodell.exe
  • [File Name] – networkuefidiagsbootserver.exe
  • [File Name] – windowsservicemanageav.exe
  • [File Name] – windowsupserv.exe
  • [File Name] – getf.rar
  • [File Name] – csidl_common_appdatamicrosoftdotnet35microsoftdotnet35.exe
  • [File Name] – csidl_common_appdatamicrosoftservicesusermanualsystempropertiesinternationaltime.exe
  • [Executable] – Micropsia (backdoor)
  • [Executable] – Arid Gopher (Go-based backdoor)

Read more: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint