Threat Advisory

Iran-Linked Cavern Manticore Abuses RMM Software to Deploy Malware

Threat: Malware
Threat Actor Name: Cavern Manticore
Threat Actor Type: Nation-Sponsored or State-Sponsored
Targeted Region: Asia, Middle East, Iran, Israel
Alias: MuddyWater, Lyceum
Threat Actor Region: Iran
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

An Iran-linked threat actor known as Cavern Manticore targets Israeli organizations with a focus on IT providers and government sectors. The framework is built around a foundation using multiple compilation formats across different components. Cavern's anti-analysis posture relies on compilation formats that force reverse engineers into multiple toolsets and metadata-reconstruction workflows, together with per-module AppDomain isolation as an anti-forensics measure.

The framework's modular architecture separates core communication capabilities from mission-specific post-exploitation functionality. This design allows the operators to tailor deployments per victim environment, limit what defenders and analysts can recover from any single victim, and extend access after compromise through specialized modules for reconnaissance, data access, tunneling, and lateral movement.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

An Iran-linked threat actor known as Cavern Manticore targets Israeli organizations with a focus on IT providers and government sectors. The framework is built around a foundation using multiple compilation formats across different components. Cavern's anti-analysis posture relies on compilation formats that force reverse engineers into multiple toolsets and metadata-reconstruction workflows, together with per-module AppDomain isolation as an anti-forensics measure.

The framework's modular architecture separates core communication capabilities from mission-specific post-exploitation functionality. This design allows the operators to tailor deployments per victim environment, limit what defenders and analysts can recover from any single victim, and extend access after compromise through specialized modules for reconnaissance, data access, tunneling, and lateral movement.[emaillocker id="1283"]

Cavern Manticore has been observed in multiple intrusions where the initial foothold was achieved through abuse of existing Remote Monitoring and Management (RMM) software deployed in the targeted organization. The threat actor uses a legitimate software-deployment feature to deploy malware onto another machine within the victim environment.

THREAT PROFILE:

Tactic Technique Id Technique Sub-technique
Initial access T1195.002 Supply Chain Compromise Compromise Software Supply Chain
Persistence T1543.003 Create or Modify System Process Windows Service
Defence Evasion T1027.002 Obfuscated Files or Information Software Packing
Defence Evasion T1036.005 Masquerading Match Legitimate Resource Name or Location
Collection T1005 Data from Local System -
Command and control T1071.001 Application Layer Protocol Web Protocols
Command and control T1571 Non Standart Port -Standard Port-
Exfiltration T1041 Exfiltration Over C2 Channel -

MBC MAPPING:

Objective Behavior ID Behavior
Command & Control B0030 C2 Communication
Anti-Behavioral Analysis B0003 Dynamic Analysis Evasion
Defense Evasion B0029 Polymorphic Code
Discovery E1082 System Information Discovery
Execution E1204 User Execution
Persistence F0012 Registry Run Keys / Startup Folder
Exfiltration E1020 Automated Exfiltration
Anti-Static Analysis E1027 Obfuscated Files or Information

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu