🇱🇧

Hezb

APT Group Information theft and espionage 3 zero-day CVEs ETDA ✓

Also Known As 1 names

Mimo

Target Countries 4

Countries highlighted in red

United Kingdom Israel Islamic Republic of Iran United States

Sectors Targeted

Internet Publishing and Broadcasting and Web Search Portals 51913 Investigation, Guard, and Armored Car Services 56161 Civic and Social Organizations 8134 National Security and International Affairs 9281 Oil and Gas Extraction 211 Computer Systems Design Services 541512 Grantmaking and Giving Services 8132 National Security and International Affairs 928110 Utilities 22

Details

Origin 🇱🇧 LB

Last Updated 17 Sep 2022

MITRE ATT&CK 39

T1027 - Obfuscated Files or Information T1027.002 - Software Packing T1055 T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.001 - PowerShell T1059.004 - Unix Shell T1068 - Exploitation for Privilege Escalation T1070.004 - File Deletion T1078.001 T1082 - System Information Discovery T1083 - File and Directory Discovery T1090 T1105 - Ingress Tool Transfer T1133 T1140 T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application T1203 T1210 T1222 - File and Directory Permissions Modification T1486 - Data Encrypted for Impact T1490 - Inhibit System Recovery T1496 - Resource Hijacking T1497 - Virtualization/Sandbox Evasion T1505 - Server Software Component T1505.003 - Web Shell T1547 - Boot or Logon Autostart Execution T1547.001 - Registry Run Keys / Startup Folder T1562 T1566 T1566.001 - Spearphishing Attachment T1574 - Hijack Execution Flow T1574.006 - Dynamic Linker Hijacking T1588.005 - Exploits T1588.006 - Vulnerabilities T1595 T1595.002 T1595.003

Related Zero-Days 3

CVE-2021-44228 CVE-2022-26134 CVE-2023-46604

Known Names 6 entries

Volatile Cedar Check Point

Dancing Salome Kaspersky

DeftTorero Kaspersky

VolcanicTimber ?

Amethyst Rain Microsoft

G0123 MITRE

Observed Target Countries 11

Based on ETDA data — countries highlighted in red

Canada Egypt Israel Jordan Lebanon Russia Saudi Arabia UAE UK USA Palestinian Authority

Description

(Check Point) Beginning in late 2012, the carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive. This report provides an extended technical analysis of Volatile Cedar and the Explosive malware. We have seen clear evidence that Volatile Cedar has been active for almost 3 years. While many of the technical aspects of the threat are not considered “cutting edge”, the campaign has been continually and successfully operational throughout this entire timeline, evading detection by the majority of AV products. This success is due to a well-planned and carefully managed operation that constantly monitors its victims’ actions and rapidly responds to detection incidents.

Tools Used 9

Adminer ASPXSpy Caterpillar DirBuster Explosive GoBuster JuicyPotato RottenPotato SharPyShell

Operations 2

2015-06 After going public with our findings, we were provided with a new configuration belonging to a newly discovered sample we have never seen before. https://blog.checkpoint.com/2015/06/09/new-data-volatile-cedar/

2020 Early In early 2020, suspicious network activities and hacking tools were found in a range of companies. https://www.clearskysec.com/cedar/

Reports & References 3

https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf https://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/ https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/

ETDA Profile

Volatile Cedar

Origin

Lebanon

First Seen 2012

Sponsor State-sponsored, Hezbollah

Motivation

Information theft and espionage

MITRE ATT&CK Groups

https://attack.mitre.org/groups/G0123/

View on ETDA APT Groups ↗