Scarred Manticore, an Iranian nation-state threat actor with possible connections to Iran’s Ministry of Intelligence and Security, recently used a new ‘LionTail’ malware framework to attack various organizations in the Middle East. The threat actor targeted numerous government and critical infrastructure organizations in Iraq, Israel, Jordan, Kuwait, Oman, Saudi Arabia, and the UAE.

Check Point researchers discovered that LionTail enabled the threat actor to execute commands via HTTP requests on target Windows servers. The LionTail backdoor is unique to the Scarred Manticore threat actor, but other tools observed in the attacks align with another Iranian hacking group, APT34. The threat actor also crafted unique sets of passive implants for each server, making their communication almost indistinguishable from legitimate network traffic. LionTail appears to be an improved version of FoxShell, another tool attributed to Scarred Manticore. The threat actor primarily focused on persistence, data extraction, and cyber espionage objectives during this campaign.

Read More:

https://www.securityweek.com/iranian-cyber-spies-use-liontail-malware-in-latest-attacks/