AI Security AI安全 4d ago Updated 3d ago 更新于 3天前 46

Iran-Linked Hackers Use New Cavern C2 Framework to Target Israeli Organizations 伊朗关联黑客使用新型Cavern C2框架针对以色列组织

Iranian-linked threat cluster "Cavern Manticore" utilizes a novel, modular C2 framework called Cavern to target Israeli IT providers and government sectors. The framework employs a sophisticated anti-analysis strategy by mixing .NET Framework, Mixed-Mode C++/CLI, and Native AOT compilation formats across its components. Attack vectors include DLL side-loading via SysAid updates and leveraging trusted RMM relationships for lateral movement between service providers. Specific modules handle distin 伊朗关联黑客组织“Cavern Manticore”利用新型模块化C2框架“Cavern”针对以色列IT服务商和政府机构发起攻击。 该框架基于.NET构建,混合使用.NET Framework、Mixed-Mode C++/CLI及Native AOT编译格式,以此作为反分析和反取证手段。 攻击者通过SysAid软件更新功能进行DLL侧加载植入Cavern Agent,并利用供应链中的信任关系横向移动至最终目标。 框架包含五个专用DLL模块,分别负责文件操作、SQL数据库处理、AD侦察、网络扫描及SOCKS5代理隧道功能。 同期伊朗国家支持的黑客组织MuddyWater也在大规模利用多个已知漏

65
Hot 热度
70
Quality 质量
60
Impact 影响力

Analysis 深度分析

TL;DR

  • Iranian-linked threat cluster "Cavern Manticore" utilizes a novel, modular C2 framework called Cavern to target Israeli IT providers and government sectors.
  • The framework employs a sophisticated anti-analysis strategy by mixing .NET Framework, Mixed-Mode C++/CLI, and Native AOT compilation formats across its components.
  • Attack vectors include DLL side-loading via SysAid updates and leveraging trusted RMM relationships for lateral movement between service providers.
  • Specific modules handle distinct post-exploitation tasks such as SQL database extraction, Active Directory reconnaissance, and SOCKS5 proxying.
  • This activity coincides with broader Iranian cyber campaigns exploiting vulnerabilities in systems like SmarterMail and n8n for reconnaissance and data exfiltration.

Why It Matters

This case highlights the increasing sophistication of state-sponsored actors in utilizing mixed-language .NET architectures to evade detection and complicate reverse engineering efforts. For security practitioners, it underscores the critical risk posed by third-party software supply chains and Remote Monitoring and Management (RMM) tools, which can be weaponized to bypass perimeter defenses. Understanding these advanced evasion techniques is essential for improving endpoint detection and response (EDR) capabilities against modern APT groups.

Technical Details

  • Framework Architecture: The Cavern C2 framework is divided into a core agent and modular plugins, allowing for tailored deployments. It uses a unified module dispatcher that distinguishes between native DLLs (prefixed with 'n-') loaded via LoadLibraryA and managed .NET assemblies loaded via AppDomain isolation.
  • Compilation Diversity: To hinder analysis, the framework mixes three compilation targets: pure .NET Framework (e.g., mhm.dll, db.dll, ode.dll), Native AOT (e.g., n-HTCommp.dll, n-ten.dll, n-sws.dll), and Mixed-Mode C++/CLI for the main agent (uxtheme.dll).
  • Module Functionality: Five specific DLL modules were identified: mhm.dll for file operations and transfers, db.dll for SQL database manipulation, ode.dll for AD reconnaissance and LDAP brute-forcing, n-ten.dll for network scanning and SMB brute-forcing, and n-sws.dll for SOCKS5 proxying and WebSocket tunneling.
  • Initial Access Chain: The attack begins with abusing SysAid’s update feature to load a trojanized uxtheme.dll. This agent then loads n-HTCommp.dll to communicate with the C2 server (hospitalinstallation[.]com) over HTTPS or WebSocket to fetch additional modules.
  • Supply Chain Exploitation: Actors exploit trusted relationships between IT providers, moving from an initial compromised provider to a second-hop provider before reaching the final target, often disguising malware as legitimate software updates.

Industry Insight

  • Enhance RMM Security: Organizations must implement strict integrity checks and monitoring for Remote Monitoring and Management (RMM) tools, as these trusted channels are increasingly targeted for lateral movement.
  • Adopt Multi-Layered EDR: Given the use of mixed compilation formats and AppDomain isolation to evade static analysis, traditional signature-based detection is insufficient. Deploy EDR solutions capable of behavioral monitoring and dynamic analysis to detect anomalous process creation and memory injection.
  • Monitor Supply Chain Updates: Verify the authenticity of software updates from vendors like SysAid, and restrict automatic update permissions where possible to prevent unauthorized DLL side-loading.

TL;DR

  • 伊朗关联黑客组织“Cavern Manticore”利用新型模块化C2框架“Cavern”针对以色列IT服务商和政府机构发起攻击。
  • 该框架基于.NET构建,混合使用.NET Framework、Mixed-Mode C++/CLI及Native AOT编译格式,以此作为反分析和反取证手段。
  • 攻击者通过SysAid软件更新功能进行DLL侧加载植入Cavern Agent,并利用供应链中的信任关系横向移动至最终目标。
  • 框架包含五个专用DLL模块,分别负责文件操作、SQL数据库处理、AD侦察、网络扫描及SOCKS5代理隧道功能。
  • 同期伊朗国家支持的黑客组织MuddyWater也在大规模利用多个已知漏洞(如SmarterMail、n8n等)进行侦察和数据窃取。

为什么值得看

本文揭示了高级持续性威胁(APT)组织如何通过混合编译技术和模块化架构来规避传统安全检测,为防御复杂网络攻击提供了新的技术视角。同时,它强调了供应链信任和远程管理工具(RMM)在攻击链中的关键作用,提醒企业和安全从业者需重新评估第三方软件更新机制和内部横向移动策略。

技术解析

  • 混合编译与反分析架构:Cavern框架的核心优势在于其使用了三种不同的.NET编译目标。部分模块(如mhm.dll, db.dll, ode.dll)为纯.NET Framework,而通信和侦察模块(n-HTCommp.dll, n-ten.dll, n-sws.dll)采用Native AOT编译。主代理uxtheme.dll则结合托管代码和本地C++。这种混合模式迫使逆向工程师必须切换多种工具和元数据重建工作流,显著增加了分析难度。
  • 模块化组件功能细分:框架由Cavern Agent和多个独立DLL模块组成,实现了核心通信与任务功能的解耦。具体模块包括:mhm.dll(文件操作与双向传输)、db.dll(SQL数据库枚举与导出)、ode.dll(AD侦察与LDAP暴力破解)、n-ten.dll(网络侦察与SMB暴力破解)以及n-sws.dll(SOCKS5代理与WebSocket隧道)。
  • 动态加载与隔离机制:Agent内置统一模块调度器,根据文件名前缀区分加载方式。以“n-”开头的原生DLL通过Windows API LoadLibraryA加载,其余托管程序集则通过AppDomain隔离机制加载。这种每模块的AppDomain隔离不仅增强了灵活性,也作为一种反取证措施,限制了内存转储时的可见性。
  • 攻击链与供应链滥用:攻击始于利用SysAid的软件更新功能,通过DLL侧加载执行特洛伊木马化的uxtheme.dll。随后,Agent加载通信模块连接C2服务器(如hospitalinstallation[.]com),并通过HTTPS或WebSocket动态获取后续模块。攻击者利用IT服务商之间的信任关系,从初始被入侵的提供商横向移动至二级提供商,最终抵达目标组织。
  • 并行威胁活动背景:在同一时期,伊朗关联组织MuddyWater正在利用SmarterMail (CVE-2025-52691)、n8n (CVE-2025-68613)、N-Central (CVE-2025-9316)、Langflow (CVE-2025-34291)和Laravel Livewire (CVE-2025-54068)等系统的漏洞进行大规模侦察,并逐步转向针对中东地区航空、能源和政府部门的凭证窃取和数据外泄。

行业启示

  • 强化供应链与第三方软件更新监控:鉴于攻击者利用SysAid等可信软件更新机制进行DLL侧加载,企业应严格审查所有第三方软件的更新来源和完整性,实施白名单机制,并对异常的二进制行为(如非预期DLL加载)进行实时监控。
  • 重视横向移动与内部信任边界:攻击者利用RMM工具和供应商间的信任关系进行横向移动,表明传统的 perimeter defense 已不足够。组织需实施严格的零信任架构,限制远程管理工具的权限,并对内部网络段之间的访问进行细粒度控制和审计。
  • 提升针对混合编译恶意软件的分析能力:随着Native AOT和Mixed-Mode C++/CLI在恶意软件中的普及,传统基于纯.NET反射的分析工具可能失效。安全团队需要升级逆向工程工具链,支持多格式二进制分析,并关注内存中的动态加载行为以检测此类高级威胁。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全