Fast and Furious – Nimbus Manticore Operations During the Iranian Conflict

MITRE Techniques

• [T1055 ] Process Injection – The actor used AppDomain Hijacking to load malicious DLLs through trusted .NET applications and Zoom-related executables (‘abusing AppDomain Hijacking for execution’ and ‘the .NET runtime loads the DLL’).
• [T1566 ] Phishing – The campaign relied on fake career opportunities and meeting-invitation lures to deliver malicious archives and installers (‘career-themed phishing campaigns’ and ‘fake meeting invitations’).
• [T1204 ] User Execution – Victims had to download and launch weaponized ZIP archives or installers for the infection to begin (‘After Setup.exe is launched by the user’).
• [T1036 ] Masquerading – Malicious files and sites impersonated legitimate software and organizations, including Zoom, Accenture, airline brands, and SQL Developer (‘masquerading as a US-based airline’ and ‘fake website impersonating a download page for SQL Developer’).
• [T1218 ] System Binary Proxy Execution – A Microsoft-signed Setup.exe and the legitimate Zoom installer were abused to execute malicious DLLs and stage the infection chain (‘Benign Microsoft-signed binary’ and ‘launched the legitimate Zoom installer’).
• [T1574.009 ] Dynamic Linker Hijacking: AppDomain Manager – The malware used a Trojanized .config file to point AppDomainManager to attacker-controlled DLLs (‘placing a Trojanized XML .config file’ and ‘points to a malicious DLL’).
• [T1036.005 ] Match Legitimate Name or Location – The malware wrote files into application-like directories and renamed binaries to appear legitimate (‘written into C:UsersAppDataLocalPackages’ and ‘now renamed to Update.exe’).
• [T1112 ] Modify Registry / Scheduled Task / Task Hijacking – The malware hijacked a Zoom-created scheduled task and later created or updated a task named WindowsSecurityUpdate (‘hijacks and modifies it to execute the second-stage component’ and ‘creates or updates a scheduled task named WindowsSecurityUpdate’).
• [T1057 ] Process Discovery – MiniFast enumerated running processes and returned names and PIDs (‘Enumerate Processes’).
• [T1083 ] File and Directory Discovery – The backdoor listed files and folders within a specified directory (‘Lists files and folders inside a specified directory’).
• [T1105 ] Ingress Tool Transfer – MiniFast downloaded files from the C2 server and uploaded local files back to it (‘Downloads a file from the C2 server’ and ‘Uploads local files’).
• [T1027 ] Obfuscated Files or Information – The loaders used ROT13, reversed strings, Base64, and encrypted payloads to hinder analysis (‘decrypted at runtime using a simple combination of ROT13 encoding and reversed-string transformations’).
• [T1497.001 ] Virtualization/Sandbox Evasion: System Checks – The malware performed process-chain validation and anti-analysis checks to avoid sandbox execution (‘only continues execution if: The hosting process name is update.exe’ and ‘the parent process is svchost.exe’).
• [T1071.001 ] Application Layer Protocol: Web Protocols – The backdoor used HTTP-based API-style communication with JSON and Base64-encoded task data (‘communicates with its C2 infrastructure using an API-style architecture with JSON-formatted data exchanges’).
• [T1001 ] Data Obfuscation – Tasking and result data were Base64-encoded before transmission (‘Base64-encoded serialized task structures’ and ‘Base64-encoded and submitted back’).
• [T1021.004 ] Remote Services: SSH/Remote Desktop? – Not mentioned in article.
• [T1053.005 ] Scheduled Task/Job: Scheduled Task – The malware relied on a Zoom installation task for persistence and later created its own WindowsSecurityUpdate task (‘abusing an existing Zoom scheduled task’ and ‘scheduled task named WindowsSecurityUpdate’).