Hezbollah-Linked Lebanese Cedar APT Infiltrates Hundreds of Servers

Advanced persistent threat (APT) group Lebanese Cedar has compromised at least 250 public-facing servers since early 2020, researchers said, with its latest malware.

The group has added new features to its custom “Caterpillar” webshell and the “Explosive RAT” remote access trojan (RAT), both of which researchers at ClearSky Security said they linked to the compromise of the public servers [PDF], which allowed widespread espionage.

“The target companies are from many countries including: The United States, the United Kingdom, Egypt, Jordan, Lebanon, Israel and the Palestinian Authority,” according to researchers. “We assess that there are many more companies that have been hacked and that valuable information was stolen from these companies over periods of months and years.”

An Upgrade for Explosive RAT

Lebanese Cedar’s hallmark is trolling for vulnerable systems. The latest, fourth version of Explosive RAT has been used against unpatched Oracle (CVE-2012-3152) and Atlassian servers (CVE-2019-3396 and CVE-2019-11581) web servers, ClearSky said. The group is also the only APT group known to use the Explosive RAT code, ClearSky added.

ClearSky said it identified specific upgrades made to the new Explosive RAT versus the previous version, which was first used back in 2015 — namely anti-debugging and encrypted communications between the compromised machine to the command-and-control (C2) server.

“Explosive utilizes multiple evasion techniques to avoid detection and maintain persistence, such as obfuscation, communication encryption and using a separate DLL for API activity,” ClearSky’s report said. “Since 2015, the tool had been minorly changed in obfuscation and communication encryption. The RAT’s control network is well thought out. It consists of default hard-coded C2 servers, static update servers and DGA-based dynamic update servers.”

The new Explosive RAT has additional new spy weapons to use against systems too, like keylogging, screenshot capture and command execution, according to ClearSky, making the threat both stubborn and illicit.

“The malware’s data-collection capabilities are both passive and active – it harvests data found on the compromised machine and features the ability to search for data on-demand,” according to ClearSky. “Explosive also features functionalities such as machine fingerprinting, memory-usage monitoring to assure stealth, remote shell and arbitrary code-execution.”

Web Shell Updates

Lebanese Cedar’s most recent malware toolkit also uses a second version of the Caterpillar web shell, for the widespread collection of network data and the installation of files on targeted systems.

“Acting as a focal point, the group usually attacks web servers via a custom web shell, namely Caterpillar – a variant of the open-source web shell ‘ASPXspy,’” ClearSky’s report said. “By using web shell, the attackers leave their fingerprint on the web server and the internal network, move laterally and deploy additional tools.”

Caterpillar sets out to scout out potentially valuable data, install server configuration files, and even access passwords and usernames, the report added.

The group uses the web shell to exfiltrate data to the C2 server through VPN services NordVPN or ExpressVPN, the report explained, then installs the file browser.

Lebanese Cedar’s use of its signature Explosive RAT is being overtaken by the use of web shells, ClearSky observed.

“The TTP [tactic, technique and procedure] itself was changed,” ClearSky explains. “In 2015, Lebanese Cedar relied mostly on Explosive RAT as their main tool. In the recent campaign, we identified multiple Caterpillar web shells and less utilization of Explosive RAT (based on our scans). Accordingly, we propose that the main vector of Lebanese Cedar in 2020 is utilization of web shell.”

Nation-State Actor, Lebanese Cedar

Lebanese Cedar, also known as “Volatile Cedar,” dates back to 2012 and has links to Hezbollah’s cyber-unit, according to Check Point, which added the group chooses targets based on politics and ideology. Hezbollah is both a political party and a militant group based in Lebanon.

In 2015, Check Point researchers also tied the APT group to the Lebanese government.

“Known for its highly evasive, selectively targeted and carefully managed operations, Lebanese Cedar follows courses of action associated with APTs funded by nation-states or political groups,” the report added.

Victims have in the past primarily been in the telecom and IT sectors across the globe, including Egypt, Israel, Jordan, the Palestinian Authority, the U.K. and the U.S.

“Lebanese Cedar APT’s arsenal consists of a fully fledged web shell, a custom-developed RAT and a set of carefully selected complementary tools, including URI brute-force tools,” CheckPoint reported. “The group uses open-source tools alongside their own custom tools, including custom web shell, most likely created by Iranian hacktivist groups such as ‘ITSecTeam’ and ‘Persian Hacker.’”

Ivan Righi, threat intelligence analyst with Digital Shadows, told Threatpost that he thinks the APT “likely conducted this campaign to support Hezbollah’s motives to obtain sensitive information.”

Patching, People!

Since the group uses exploits for vulnerabilities to gain initial access to targets, patching, is the best, first defense against these kinds of attacks.

“That 250 systems have been compromised already documents the importance of patching these solutions, especially when used in the context of cooperation between parties, businesses and government agencies,” Dirk Schrader, global vice president at New Net Technologies, explained to Threatpost. “As always, the best protection is to establish a good cyber-hygiene, scan for vulnerabilities, patch where possible, and control any changes happening to the infrastructure in between scans.”

Tal Morgenstern from Vulcan Cyber agreed basic security hygiene is still the best line of defense for organizations. Attackers are out on the prowl for the holes they know already exist, he explained.

“Threat actors continue to utilize known vulnerabilities for their gain. In this case, vulnerable public websites are used to distribute malware, making unsuspecting visitors victims using something that could be fixed with a patch or configuration change.”

A Plea for InfoSec Collaboration

More generally, the best bet against Lebanese Cedar and other similar threat actors is a tighter collaboration between vendors, researchers, industry groups and law enforcement, Derek Manky with Fortinet’s FortiGuard Labs told Threatpost.

“For example, many security organizations provide adversarial threat playbooks that can provide up-to-date analysis and insight on the latest APT groups and malware campaigns to date, with the goal of providing first responders, network defenders and anyone interested with actionable information,” Manky said by email. “Also, organizations will need to know who to inform in the case of an attack so that the ‘fingerprints’ can be properly shared and law enforcement can do its work.”

Beyond basic inter-disciplinary cooperation, Manky said it’s going to be increasingly important for the security community to start working together as a unified global front.

“Cybercriminals face no borders online, so the fight against cybercrime needs to go beyond borders as well,” Manky added. “Only by working together will we turn the tide against cybercriminals.”

Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!