Iranian APT Targets Aviation, Software Companies With Updated Tools

Iranian APT Targets Aviation, Software Companies With Updated Tools

Briefly

"Nimbus Manticore has adopted new tactics and updated its arsenal in new intrusions targeting aviation and software companies, Check Point reports. Also known as Bohrium, Smoke Sandstorm, TA455, and UNC1549, and active since at least 2022, Nimbus Manticore is believed to be a subgroup of Charming Kitten (APT35) and to have ties with Iran's Islamic Revolutionary Guard Corps (IRGC). Nimbus Manticore was previously seen targeting aerospace, aviation, and defense organizations in the Middle East and Europe with the MiniBike and MiniBus backdoors."

"Amid rising geopolitical tensions in the Middle East, Nimbus Manticore's phishing campaigns started employing AppDomain hijacking for payload execution, instead of DLL sideloading. The technique relies on a trojanized XML .config file placed in the target .NET application's directory to load a malicious DLL at launch time. Nimbus Manticore used a phishing lure resembling previous campaigns, targeting employees at aviation and software companies in Saudi Arabia and Australia to download a compressed ZIP archive from the OnlyOffice platform, leading to infections with a new version of the MiniJunk backdoor."

"In another campaign, the APT used job lures masquerading as a US-based airline, leading to a trojanized Zoom installer. Using AppDomain hijacking, the infection chain led to the deployment of a new backdoor, named MiniFast. Deployed as a 64-bit Windows PE DLL, the backdoor impersonates a Chrome browser and was designed for long-term"