As reported by The Hacker News, an Iranian hacking group, linked to the country's Ministry of Intelligence and Security, has been observed deploying a novel modular command-and-control (C2) framework named Cavern against Israeli organizations. This framework, also known as Cav3rn, has been used in attacks primarily targeting IT providers and government sectors.The threat cluster, dubbed Cavern Manticore by Check Point Research, exhibits tactical similarities with known groups like MuddyWater and Lyceum. The Cavern framework is built on a .NET foundation and utilizes multiple compilation formats, including .NET Framework, .NET Mixed-Mode C++/CLI, and .NET Native AOT, serving as an anti-analysis layer. The framework consists of a Cavern Agent and various Cavern modules, allowing for tailored deployments for reconnaissance, data theft, tunneling, and lateral movement. The attack chain often begins by exploiting SysAid's software update feature to execute a trojanized DLL containing the Cavern Agent. This agent then contacts a C2 server to download additional post-exploitation modules. These modules include capabilities for file operations, database manipulation, Active Directory reconnaissance, network scanning, and tunneling.The attackers have been observed moving from an initial IT provider to a second-hop provider, leveraging trusted relationships within the software supply chain. They also appear to use browser-based remote desktop technologies and features like remote printing for data exfiltration.Source: The Hacker News
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds




