CHECK Point Research (CPR) has identified a new modular command-and-control (C2) framework named "Cavern Manticore," linked to Iranian threat actors targeting Israeli organizations, particularly in government and IT sectors. Key points include:
- The framework exhibits a modular architecture using .NET with anti-analysis techniques, making it challenging to reverse-engineer.
- Initial access is often gained through compromised Remote Monitoring and Management (RMM) software.
- The architecture comprises various components, including agents and modules that carry out post-exploitation actions like reconnaissance, data access, and tunneling.
- Malware detection rates are low on VirusTotal, highlighting its evasion strategies.
- Further analysis reveals sophisticated anti-forensics measures, multiple compilation formats to confuse analysts, and evolving operational techniques aimed at improving stealth and effectiveness.
The report underscores the growing sophistication of cyber threats and the need for enhanced defenses, particularly against supply chain attacks using trusted administrative tools.