Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Social Engineering

Iranian 'Educated Manticore' Hackers Target Israel

Iranian Threat Actor Deploys Improved PowerLess Backdoor
Iranian 'Educated Manticore' Hackers Target Israel
A manticore depicted in the 13th-century Rochester Bestiary (Image: British Library)

Iranian hackers are deploying an updated backdoor apparently targeting Israeli academic researchers with an interest in Iraq.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Researchers at Check Point Security said a group they have dubbed "Educated Manticore" is sending the Iraq-themed bait in order to coax users into initiating a new and improved infection chain that ends with deployment of an implant known as PowerLess.

Other researchers have tied PowerLess to an Iranian actor known as Phosphorus, also tracked as Charming Kitten and APT35. The group has a history of targeting academics who specialize in the fundamentalist Shiite theocracy.

The Phosphorus designation comes from Microsoft, which this month shifted to a new threat group naming convention. The computing giant now calls the group Mint Sandstorm (see: Iranian State Hacker Aggression Escalates, Says Microsoft).

Check Point says clusters of Iranian hacking activity have become difficult to untangle. The PowerLess-wielding hackers spotted by Check Point in these findings have strong overlap with Mint Sandstorm. But, "we have no sufficient knowledge to place the activities around the PowerLess backdoor" in the complex puzzle of Iranian threat actors, company researchers wrote. As a result, they decided to give the activity its own name.

The group's loading mechanisms and techniques are improvements over previous PowerLess deployments. Prominent among those advances is the use of ".NET executables constructed as Mixed Mode Assembly - a mixture of .NET and native C++ code," Check Point researchers wrote. Mixed-mode software is harder to reverse-engineer than pure code.

The infection chain begins when Educated Manticore installs an initial loader and payload downloader a folders. The lure is an ISO file named Iraq development resources.iso as well as the documents within the file.

The loader is stored as zoom.jpg within the ISO file. The initial loader is disguised as an empty folder, in a bid to have victims click on it without noticing the .exe extension. The final payload is a new version of the PowerLess payload -with more than double the number of commands.

The new features include showing a list of installed programs, processes and files; stealing user data from the Telegram desktop app; and taking screenshots. This PowerLess payload can also download extra modules, including a keylogger, an info stealer and a sound recorder.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.