Iran-Linked Hackers Use New Cavern C2 Framework to Target Israeli Organizations
Iranian-linked threat cluster "Cavern Manticore" utilizes a novel, modular C2 framework called Cavern to target Israeli IT providers and government sectors. The framework employs a sophisticated anti-analysis strategy by mixing .NET Framework, Mixed-Mode C++/CLI, and Native AOT compilation formats across its components. Attack vectors include DLL side-loading via SysAid updates and leveraging trusted RMM relationships for lateral movement between service providers. Specific modules handle distin
Analysis
TL;DR
- Iranian-linked threat cluster "Cavern Manticore" utilizes a novel, modular C2 framework called Cavern to target Israeli IT providers and government sectors.
- The framework employs a sophisticated anti-analysis strategy by mixing .NET Framework, Mixed-Mode C++/CLI, and Native AOT compilation formats across its components.
- Attack vectors include DLL side-loading via SysAid updates and leveraging trusted RMM relationships for lateral movement between service providers.
- Specific modules handle distinct post-exploitation tasks such as SQL database extraction, Active Directory reconnaissance, and SOCKS5 proxying.
- This activity coincides with broader Iranian cyber campaigns exploiting vulnerabilities in systems like SmarterMail and n8n for reconnaissance and data exfiltration.
Why It Matters
This case highlights the increasing sophistication of state-sponsored actors in utilizing mixed-language .NET architectures to evade detection and complicate reverse engineering efforts. For security practitioners, it underscores the critical risk posed by third-party software supply chains and Remote Monitoring and Management (RMM) tools, which can be weaponized to bypass perimeter defenses. Understanding these advanced evasion techniques is essential for improving endpoint detection and response (EDR) capabilities against modern APT groups.
Technical Details
- Framework Architecture: The Cavern C2 framework is divided into a core agent and modular plugins, allowing for tailored deployments. It uses a unified module dispatcher that distinguishes between native DLLs (prefixed with 'n-') loaded via
LoadLibraryAand managed .NET assemblies loaded viaAppDomainisolation. - Compilation Diversity: To hinder analysis, the framework mixes three compilation targets: pure .NET Framework (e.g.,
mhm.dll,db.dll,ode.dll), Native AOT (e.g.,n-HTCommp.dll,n-ten.dll,n-sws.dll), and Mixed-Mode C++/CLI for the main agent (uxtheme.dll). - Module Functionality: Five specific DLL modules were identified:
mhm.dllfor file operations and transfers,db.dllfor SQL database manipulation,ode.dllfor AD reconnaissance and LDAP brute-forcing,n-ten.dllfor network scanning and SMB brute-forcing, andn-sws.dllfor SOCKS5 proxying and WebSocket tunneling. - Initial Access Chain: The attack begins with abusing SysAid’s update feature to load a trojanized
uxtheme.dll. This agent then loadsn-HTCommp.dllto communicate with the C2 server (hospitalinstallation[.]com) over HTTPS or WebSocket to fetch additional modules. - Supply Chain Exploitation: Actors exploit trusted relationships between IT providers, moving from an initial compromised provider to a second-hop provider before reaching the final target, often disguising malware as legitimate software updates.
Industry Insight
- Enhance RMM Security: Organizations must implement strict integrity checks and monitoring for Remote Monitoring and Management (RMM) tools, as these trusted channels are increasingly targeted for lateral movement.
- Adopt Multi-Layered EDR: Given the use of mixed compilation formats and AppDomain isolation to evade static analysis, traditional signature-based detection is insufficient. Deploy EDR solutions capable of behavioral monitoring and dynamic analysis to detect anomalous process creation and memory injection.
- Monitor Supply Chain Updates: Verify the authenticity of software updates from vendors like SysAid, and restrict automatic update permissions where possible to prevent unauthorized DLL side-loading.
Disclaimer: The above content is generated by AI and is for reference only.