Cyber Security

Iran-Linked Hackers Use New Cavern C2 Framework to Target Israeli Organizations

An Iranian hacking group affiliated with Iran’s Ministry of Intelligence and Security (MOIS) has been using a previously illegal modular command-and-control (C2) framework called Cavern (aka Cav3rn) to target Israeli organizations.

The operation, which mainly targeted IT providers and the government sectors, resulted from a collection of threats tracked by Check Point Research under the moniker. Cavern Manticorewhich shares some degree of strategic overlap with MuddyWater and Lyceum, the latter of which is being evaluated as a subsidiary of OilRig.

“The framework features a mature and flexible toolset built around a shared .NET foundation, while using multiple integration formats across different components, including the .NET Framework, .NET Mixed-Mode C++/CLI, and .NET Native AOT,” the cybersecurity firm said.

“The compilation format itself becomes a layer against analysis that forces reverse engineers into multiple tools and workflows to reconstruct metadata.”

Components of the C2 framework are used as Cavern Agent and Cavern modules, which show a clear division of responsibilities between basic communication skills and specific post-exploication work. This architecture has inherent advantages as it allows operators to plan deployments based on the victim profile, reduce forensic visibility, and ensure continuous access with bespoke modules for recovery, data theft, tunneling, and lateral movement.

The attack chain documented by Check Point Research begins with the SysAid software update feature, which is encouraged by the adversary to launch a DLL sideloading chain that leads to the execution of a trojanized DLL (“uxtheme.dll”) containing the Cavern Agent. The agent, on the other hand, loads a standalone communication DLL module (“n-HTCommp.dll”) to contact the C2 server (“hospitalization[.]com”) and download additional modules for on-the-fly exploits via HTTPS or WebSocket.

Five DLL modules have been found –

  • mhm.dllfor file operations, computation, repetitive file searching, archive management, and bidirectional file transfer
  • db.dllfor SQL database calculations, queries, exports, and manipulations
  • ode.dllto monitor active directory, user/group enumeration, and malicious LDAP attempts
  • n-ten.dllfor network monitoring, port scanning, share enumeration, and malicious SMB attempts
  • n-sws.dllfor SOCKS5 proxy and WebSocket tuning

A defining feature of the framework is its use of three different .NET integration targets that comprise its components: while mhm.dll, db.dll, and ode.dll are pure .NET Framework modules, n-HTCommp.dll, n-ten.dll, and n-sws.dll use Native AOT (Ahead-commiof) The main agent, uxtheme.dll, integrates managed .NET code and native C++ into the implementation one that is tangible.

Embedded within the agent is an integrated module patcher that treats components whose names begin with n- as native DLLs and are loaded via the LoadLibraryA Windows API, while others are interpreted as managed .NET assemblies and loaded in a method known as AppDomain isolation.

“The framework’s adversarial analysis relies on a unique combination of the .NET format (Mixed Mode C++/CLI and Native AOT) that forces reverse engineers into multi-tools and metadata reconstruction workflows, as well as individual AppDomain isolation modules as an anti-forensics approach,” Check Point explains.

The attack orchestrated by Cavern Manticore involved a threat actor moving from a vulnerable IT provider to a second-hop provider before reaching the target organization, demonstrating their ability to leverage trusted relationships in the software supply chain to their advantage.

“This project highlights the importance of working in a trusted relationship with service providers, especially where Remote Monitoring and Management (RMM) solutions are used,” the company noted.

“By abusing these tools, an actor can move between victims and deliver malicious software disguised as legitimate updates. An actor can also be seen using remote browser-based desktop technologies to reach targets of interest and, in some cases, abuse built-in features such as remote printing to extract data when clipboard-based copying or file transfer capabilities are restricted.”

The development took place against the backdrop of ongoing military operations launched by Israel and the US against Iran. In recent months, an Iranian state-sponsored threat actor tracked as MuddyWater has been seen conducting an extensive campaign to gain access to information on over 12,000 exposed Internet applications by exploiting known security flaws in the exposed Internet applications SmarterMail, n8n, N-central, Langflow, and Laravel Livewire.

The list of exploited vulnerabilities is as follows:

The operation is said to range from extensive inspections to targeted attacks for data harvesting and data extraction in the aviation, energy, and government sectors in the Middle East, including aviation, energy, and public companies in Egypt, Israel, and the United Arab Emirates.

“This project leveraged a combination of vulnerability exploits, brute-force Outlook Web Access (OWA) attacks, and newly identified Command-and-control (C2) controllers that support multi-protocol communication,” Oasis Security said. “The work continued beyond investigation and access efforts, resulting in the confirmed release of sensitive data from vulnerable locations.”

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button