Threat Report

2023-04-13

Methodical and Persistent Techniques from the 'Mantis' Threat Group

Level: 
Tactical
  |  Source: 
Symantec
Education
Engineering
Financial
Government
Media
Military
Think Tanks
Share:

Methodical and Persistent Techniques from the 'Mantis' Threat Group

Category: Threat Actor Activity | Industries: Education, Energy, Financial Services, Government, Media, Military, Think Tanks | Level: Tactical | Source: Symantec

A Palestinian-based cyberespionage group tracked as “Mantis” (aka Arid Viper, Desert Falcon, APT-C-23) was observed to be targeting local individuals and organizations with new tools and persistence techniques. Mantis's campaigns, while unusual in targeting local entities, are not unprecedented. The latest campaign conducted by Mantis is reported by Symantec researchers having traced the campaign to have been active from early September 2022, to February 2023. Symantec's intelligence analyst Brigid O Gorman described the campaign as having “all the hallmarks of cyber-espionage activity. Mantis is known to have launched cyber-espionage campaigns in the past, and in this campaign we see them deploying a custom data exfiltration tool to exfiltrate data from victim networks, alongside the updated versions of their custom Arid Gopher and Micropsia backdoors, so all signs point towards this being espionage activity.”

Gorman goes on to explain the level of dedication the threat group went to for persistence, going as far to deploy "three distinct versions of the same toolset." Which essentially equates to "mounting three separate attacks against one organization." Symantec's report for Mantis did not identify the initial infection vector with the first sign of malicious activity found on December 18th, 2022, with encoded PowerShell commands containing shellcode. Over the next few weeks until January 12th, 2023, the attackers collected, zipped, and exfiltrated credentials and data from the compromised environment. Following January 12th, the attackers scheduled the execution of their 'Arid Gopher' to run every ten hours. The attackers seem to be updating and rewriting Arid Gopher regularly, presumably to avoid detection. One particular variant of the malware was significantly distinct from previous versions, with updates made to the extent that not a single function "contained identical distinctive code when compared with the previous version."

Anvilogic Use Cases:

  • Encoded Powershell Command
  • Certutil File Download
  • WinRM Tools

Get trending threats published weekly by the Anvilogic team.

Sign Up Now