Check Point Research tracks Scarred Manticore, an Iranian threat actor affiliated with MOIS, conducting an espionage campaign in the Middle East using the LIONTAIL framework to load memory-resident payloads on Windows servers. The operation features tailor-made implants, web shells, and IOCTL-driven use of Windows HTTP.sys to blend into legitimate traffic, with connections to previous OilRig activity and an Albanian government intrusion (DEV-0861) in its history. #ScarredManticore #LIONTAIL #MOIS #OilRig #DEV0861 #FOXSHELL #Tunna #WINTAPIX #AlbanianGovernment
Keypoints
- Scarred Manticore is an Iranian MOIS-affiliated threat actor being tracked by CPR and Sygnia IR.
- The attackers rely on the LIONTAIL framework, a memory-resident loader/backdoor that uses Windows HTTP.sys and undocumented IOCTLs for C2.
- LIONTAIL implants are often tailor-made per compromised server to blend traffic with legitimate HTTP traffic.
-
- The operation has evolved from IIS-based backdoors to low-level Windows HTTP stack usage, with multiple toolsets (web shells, DLL backdoors, drivers) linked to Scarred Manticore, FOXSHELL lineage, Tunna, and WINTAPIX.
- Scarred Manticore’s history includes DEV-0861 and a notable Albanian government intrusion, illustrating long-term espionage with occasional destructive associations.
MITRE Techniques
- [T1071.001] Web Protocols – The backdoor enables attackers to execute commands remotely through HTTP requests. “The backdoor enables attackers to execute commands remotely through HTTP requests.”
- [T1574.001] Hijack Execution: DLL Search Order Hijacking – The malware is dropped as wlanapi.dll or wlbsctrl.dll and loaded by Windows services or legitimate processes via DLL search order hijacking. “The backdoor is dropped to the system folder C:windowssystem32 as wlanapi.dll or wlbsctrl.dll. By default, neither of these exist on Windows Server installations.”
- [T1543.003] Create or Modify System Process: Windows Service – Actors enable services that require those DLLs, effectively manipulating services to load the implants. “actors enable specific services, disabled by default, that require those DLLs.”
- [T1082] System Information Discovery – The malware gathers system information (computer name, domain name, RAM, CPU, etc.) via Windows APIs and registry data. “The data gathered by this payload is collected by running specific Windows APIs or enumerating the registry keys, and includes these components: Computer Name … and Domain Name …”
- [T1055] Process Injection – The final payload runs shellcode in memory, indicating in-memory code execution/injection. “The malware creates a new thread and runs the shellcode in memory.”
- [T1027.001] Obfuscated/Compressed Files and Information – Communications and payloads are XOR-encrypted and base64-encoded during C2 and response handling. “The body of the request is base64-decoded and decrypted by XORing the whole data with the first byte of the data.”
- [T1041] Exfiltration Over C2 – C2 communications are encrypted and sent back to the C2 channel over HTTP, including encoded payloads. “to encrypt the response, the malware chooses a random byte, XOR-encodes the data using it as a key, prepends the key to the result, and then base64-encodes the entire result before sending it back to the C&C server.”
- [T1070.001] Indicator Removal on Host – Event Log bypass to avoid detection. “Event Log bypass using a known technique of suspending EventLog Service threads.”
Indicators of Compromise
- [Hash] File hashes – daa362f070ba121b9a2fa3567abc345edcde33c54cabefa71dd2faad78c10c33, f4639c63fb01875946a4272c3515f005d558823311d0ee4c34896c2b66122596, and 2 more hashes