Full Report
An Iranian hacking group affiliated with Iran's Ministry of Intelligence and Security (MOIS) has been wielding a previously undocumented modular command-and-control (C2) framework dubbed Cavern (aka Cav3rn) targeting Israeli organizations. The activity, which has primarily singled out IT providers and government sectors, has been attributed to a threat cluster tracked by Check Point Research
Analysis Summary
# Threat Actor: Cavern Manticore
## Attribution & Identity
- **Actor Identification:** Cavern Manticore
- **Affiliation:** Iran's Ministry of Intelligence and Security (MOIS).
- **Associated Groups:** Shares tactical overlaps with **MuddyWater** and **Lyceum** (the latter is considered a subgroup of **OilRig**).
## Activity Summary
Cavern Manticore is a newly identified Iranian threat cluster recently observed targeting Israeli organizations. The group utilizes a sophisticated, modular command-and-control (C2) framework dubbed **Cavern** (or **Cav3rn**). Their latest campaign involves weaponizing trusted software update mechanisms and supply chain relationships to move laterally from IT providers to high-value government targets.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploiting trusted relationships and software update features; specifically leveraged **SysAid's software update** feature to initiate the infection.
- **Side-Loading:** Execution of a trojanized DLL (`uxtheme.dll`) via DLL side-loading chains.
- **Anti-Analysis & Anti-Forensics:**
- Uses three distinct .NET compilation formats (.NET Framework, .NET Mixed-Mode C++/CLI, and .NET Native AOT) to force researchers to use multiple toolsets and reconstruction workflows.
- Employs **AppDomain isolation** for per-module execution to reduce forensic visibility.
- **Post-Exploitation:**
- Deployment of specialized modules for file manipulation, SQL database theft, and Active Directory reconnaissance.
- Use of **SOCKS5 proxies** and **WebSocket tunneling** for covert communication.
- **Brute-forcing:** LDAP and SMB brute-force attempts for lateral movement.
- **MITRE ATT&CK IDs (Inferred from text):**
- **T1574.002:** Hijack Execution Flow: DLL Side-Loading
- **T1195.002:** Supply Chain Compromise: Compromise Software Supply Chain
- **T1071.001:** Application Layer Protocol: Web Protocols (HTTPS/WebSockets)
- **T1090:** Proxy (SOCKS5)
- **T1018:** Remote System Discovery
- **T1110:** Brute Force (SMB/LDAP)
## Targeting
- **Sectors:** IT Service Providers, Government sectors.
- **Geography:** Primarily Israel; targets second-hop providers to reach end victims.
- **Victims:** Israeli IT providers and government organizations.
## Tools & Infrastructure
- **Malware Families:**
- **Cavern Agent:** The core trojanized DLL (`uxtheme.dll`).
- **Cavern Modules:** `mhm.dll` (File ops), `db.dll` (SQL), `ode.dll` (AD recon), `n-ten.dll` (Network recon/SMB), `n-sws.dll` (Tunneling), and `n-HTCommp.dll` (Communication).
- **Frameworks:** .NET (Framework, Mixed-Mode C++/CLI, and Native AOT).
- **Communication Infrastructure:**
- hospitalinstallation[.]com (C2 Server)
- Protocols: HTTPS and WebSockets.
## Implications
Cavern Manticore represents a maturing Iranian cyber capability characterized by high-level software engineering and architectural complexity. Their ability to exploit RMM (Remote Monitoring and Management) solutions and IT provider trust underscores a significant risk to supply chains. The use of multi-format .NET compilation indicates a concerted effort to bypass automated sandboxes and complicate manual reverse engineering.
## Mitigations
- **Software Integrity:** Monitor and validate integrity of DLLs associated with third-party software updates (e.g., SysAid).
- **Credential Hygiene:** Implement strong MFA and account lockout policies to defend against the LDAP and SMB brute-forcing techniques used by the `ode.dll` and `n-ten.dll` modules.
- **Supply Chain Security:** Organizations and IT providers should implement strict least-privilege access for RMM tools and monitor for unusual lateral movement originating from service provider accounts.
- **Network Monitoring:** Inspect outbound traffic for non-standard WebSocket connections or communication with the identified C2 domain.
- **Endpoint Defense:** Employ EDR solutions capable of detecting AppDomain isolation anomalies and DLL side-loading in system directories.