Cavern Manticore: Exposing Iran-Linked Modular C2 Framework

Check Point Research (CPR) has identified a sophisticated modular command-and-control (C2) framework named 'Cavern Manticore,' linked to an Iran-nexus threat actor. This group primarily targets Israeli organizations, with a particular focus on government entities and the IT sector. Cavern Manticore exhibits technical similarities to other Iran-linked groups, including MuddyWater and Lyceum, suggesting a connection to Iran's Ministry of Intelligence and Security (MOIS).
The framework is built upon a .NET foundation but distinguishes itself by compiling its various components into different output formats. These include standard .NET Framework, Mixed-Mode C++/CLI, and .NET Native AOT. This deliberate variation in compilation methods serves as an anti-analysis layer, forcing reverse engineers to employ multiple toolsets and complex metadata reconstruction workflows.
CPR observed both 'Cavern agents' and 'Cavern modules' in use, indicating a modular architecture. This design allows for flexibility, separating core communication capabilities from specialized post-exploitation functions. Attackers can tailor deployments to specific victim environments, limiting the information available to defenders and enabling extended access through specialized modules.
Initial access into victim networks was frequently achieved by exploiting legitimate Remote Monitoring and Management (RMM) software already deployed within the targeted organizations. In one observed instance, the attackers leveraged a software update feature within SysAid to deploy malware, though SysAid itself was not compromised, nor was a vulnerability in its software exploited.
The Cavern Agent, compiled as a Mixed-Mode C++/CLI DLL named 'uxtheme.dll,' exports numerous functions that mimic a legitimate Windows theming library. However, only one function, 'EnableThemeDialogTexture,' serves as the operational entry point, while others are inert stubs designed to mislead automated analysis tools.
Post-exploitation modules offer a wide range of capabilities, including file system and database browsing, LDAP querying, network reconnaissance, and tunneling. Specific modules identified include File Manager, SQL Browser, LDAP Module, Network Module, and Tunnel Module, each compiled in formats optimized for their function and evasion.
The framework's anti-analysis measures are robust. Beyond the varied compilation formats, it employs per-module AppDomain isolation as an anti-forensics technique. Many observed samples exhibit very low detection rates on VirusTotal, underscoring the effectiveness of its evasion strategies.
Analysis of the NativeAOT compiled modules, which presented the most significant challenge, required the development of specialized tools. These tools aid in reconstructing .NET type systems and recovering metadata from stripped binaries, enabling deeper investigation into the framework's operations.





