Educated Manticore – Iran Aligned Threat Actor Targeting Israel via Improved Arsenal of Tools – Check Point Research

MITRE Techniques

• [T1566.001] Phishing – Use of an ISO file to initiate infection chains after user interaction. Quote: ‘The ISO file is designed to deceive the user.’
• [T1105] Ingress Tool Transfer – Downloader downloads PowerLess loader and encrypted PowerShell payload from attacker-controlled domain. Quote: ‘Downloads the PowerLess loader through a POST request to an attacker-controlled domain … downloading the encrypted PowerShell payload content through a POST request to the same server.’
• [T1059.001] PowerShell – LNK triggers a PowerShell script to extract and run a PE file. Quote: ‘Clicking the malicious LNK file triggers a PowerShell script that extracts a PE file embedded within it, saving it to the %temp% folder.’
• [T1027] Obfuscated/Compressed Files and Information – Initial loader is obfuscated with pattern-based obfuscation and 13 customized string-decryption functions TEA32. Quote: ‘The initial loader is obfuscated, most likely with compiler-generated pattern-based obfuscation. … 13 customized string-decryption functions that are based on TEA32.’
• [T1140] Deobfuscate/Decode Files or Information – Decrypts downloader contents from zoom.jpg using AES-256-CBC with a key and IV. Quote: ‘Decrypts the contents of the downloader to memory from zoom.jpg using AES-256-CBC with the KEY …’
• [T1055] Process Injection – RunPE-In-Memory is used to decrypt and execute payload in memory. Quote: ‘using RunPE-In-Memory … mapped to memory, and execute it at its entry point.’
• [T1562.001] Impair Defenses: AMSI Bypass – Loader performs AMSI Bypass (and ETW Bypass) evasion. Quote: ‘a few evasion techniques, AMSI Bypass and ETW Bypass.’
• [T1547.001] Registry Run Keys/Startup Folder – Persistence via registry key to load syscall01.exe. Quote: ‘Creates the directory … Copies itself with the name syscall01.exe to the above folder … Constructs the path to the file zoom.jpg …’
• [T1071.001] Web Protocols – C2 communications with base64-encoded data and encrypted payloads over attacker-controlled domains. Quote: ‘PowerLess C&C communication to the server is Base64-encoded and encrypted after obtaining a key from the server.’
• [T1082] System Information Discovery – Backdoor enumerates the system and sends recon data (computer name, username, OS, IP, etc.). Quote: ‘the PowerShell backdoor enumerates the system and sends recon data … including the computer name, username, operating system, IP address, installation path, computer manufacturer, and security software installed.’
• [T1056] Input Capture: Keylogging – PowerLess can download a keylogger module. Quote: ‘including a keylogger, browser information stealer, and a surroundings sound recorder.’