An Iran-linked threat actor known as Cavern Manticore targets Israeli organizations with a focus on IT providers and government sectors. The framework is built around a foundation using multiple compilation formats across different components. Cavern's anti-analysis posture relies on compilation formats that force reverse engineers into multiple toolsets and metadata-reconstruction workflows, together with per-module AppDomain isolation as an anti-forensics measure.
The framework's modular architecture separates core communication capabilities from mission-specific post-exploitation functionality. This design allows the operators to tailor deployments per victim environment, limit what defenders and analysts can recover from any single victim, and extend access after compromise through specialized modules for reconnaissance, data access, tunneling, and lateral movement.[/subscribe_to_unlock_form]
An Iran-linked threat actor known as Cavern Manticore targets Israeli organizations with a focus on IT providers and government sectors. The framework is built around a foundation using multiple compilation formats across different components. Cavern's anti-analysis posture relies on compilation formats that force reverse engineers into multiple toolsets and metadata-reconstruction workflows, together with per-module AppDomain isolation as an anti-forensics measure.
The framework's modular architecture separates core communication capabilities from mission-specific post-exploitation functionality. This design allows the operators to tailor deployments per victim environment, limit what defenders and analysts can recover from any single victim, and extend access after compromise through specialized modules for reconnaissance, data access, tunneling, and lateral movement.[emaillocker id="1283"]
Cavern Manticore has been observed in multiple intrusions where the initial foothold was achieved through abuse of existing Remote Monitoring and Management (RMM) software deployed in the targeted organization. The threat actor uses a legitimate software-deployment feature to deploy malware onto another machine within the victim environment.
| Tactic | Technique Id | Technique | Sub-technique |
|---|---|---|---|
| Initial access | T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain |
| Persistence | T1543.003 | Create or Modify System Process | Windows Service |
| Defence Evasion | T1027.002 | Obfuscated Files or Information | Software Packing |
| Defence Evasion | T1036.005 | Masquerading | Match Legitimate Resource Name or Location |
| Collection | T1005 | Data from Local System | - |
| Command and control | T1071.001 | Application Layer Protocol | Web Protocols |
| Command and control | T1571 | Non Standart Port | -Standard Port- |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
| Objective | Behavior ID | Behavior |
|---|---|---|
| Command & Control | B0030 | C2 Communication |
| Anti-Behavioral Analysis | B0003 | Dynamic Analysis Evasion |
| Defense Evasion | B0029 | Polymorphic Code |
| Discovery | E1082 | System Information Discovery |
| Execution | E1204 | User Execution |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| Exfiltration | E1020 | Automated Exfiltration |
| Anti-Static Analysis | E1027 | Obfuscated Files or Information |
The following reports contain further technical details:
[/emaillocker]