An Iran-linked hacker group referred to as “Educated Manticore” has begun conducting cyberattacks against Israeli targets using a new version of malware used by other well-known Iranian hackers, alongside other methods rarely seen “in the wild,” according to a new report published by the Israeli cybersecurity company Check Point on Tuesday.
The new form of attack was first noticed in January when two people with Israeli IP addresses submitted the malicious file to VirusTotal, a database that tracks computer viruses.
The file is an ISO file called “Iraq development resources” containing a large number of files, including PDFs in Arabic, English and Hebrew containing academic content about Iraq. Check Point noted that this indicates that the targets may have been academic researchers.
The ISO file contains three folders, one with a Jpeg named “zoom.jpg,” another containing the PDFs and other related files and another containing the same files encrypted. Another file named “Iraq development resources” has a symbol indicating it is a folder, but is actually an executable file (.exe) that launches the actual malware when clicked.
After the .exe file is clicked, it decrypts and executes a downloader from the zoom.jpg file. The .exe file is filled with junk code in order to trick users and anti-virus software. The downloader is also filled with junk code and downloads malware called “PowerLess” which serves as a backdoor for hackers to access the affected computer.
The PowerLess tool has been used by the Iranian Mint Sandstorm cluster of hackers (also known as Phosphorus, APT35, APT42, Charming Kitten, and TA453), but the version found in the file used by Educated Manticore has been updated to have new functionalities.
The new version of PowerLess includes .NET binary code seemingly assembled in mixed mode (meaning it contains .NET and C++ code), which improves the tool’s functionality while also making it harder to detect.
While the version of PowerLess used by Phosphorus was able to execute commands and downloads, kill processes and steal browser data, the new version can also show a list of files and processes, steal data from the Telegram desktop app, take screenshots and record sound.
Check Point additionally found two other attacks using files called “iraq-project.rar” and “SignedAgreement.zip” which appear to be related to the “Iraq development resources” ISO file attack. While the three do not have a clear technical overlap, they are all themed around Iraq and were submitted to VirusTotal by the same submitters from Israel. All the attacks also use the same open-source software to load programs.
The two additional files appear to be personal projects by the developer behind the attack and seem to be inspired by the other attack.
Why is this new group called Educated Manticore?
Check Point explained in the new report that in recent years there have been two main clusters of cyber threat activity linked with Iran: One of which is commonly called Nemesis Kitten, TunnelVision or Cobalt Mirage and the other of which is commonly called APT35, Charming Kitten, or Phosphorus. The two clusters make up a sort of spectrum, sharing similar tools, but targeting different targets in different ways.
As the activity of the clusters has evolved, it has become harder to differentiate between the different subgroups, according to the cyber security company. In the case of Educated Manticore, Check Point explained that it does not have sufficient knowledge to place the activity around the PowerLess backdoor within the two clusters and therefore has decided to track it separately based on a new naming convention it has adopted.
Under the new naming convention, threats will be labeled as mythical creatures, with Iranian-aligned threats designated as “manticores.” Due to the apparent academic nature of the targets of the most recent campaign, the actor behind the new campaign has been designated as Educated Manticore.