Iran-linked hackers use new modular Cavern framework against Israeli orgs

 

Iran-linked hackers use new modular Cavern framework against Israeli orgs

An Iranian hacking group linked to Iran's Ministry of Intelligence and Security (MOIS) has been observed using a previously undocumented modular command-and-control (C&C) framework called Cavern (also known as Cav3rn) in attacks targeting Israeli organizations.

According to Check Point Research, the campaign has mainly focused on government agencies and IT service providers and is attributed to a threat cluster the company tracks as Cavern Manticore.

“In multiple observed intrusions, the initial foothold was achieved through abuse of existing Remote Monitoring and Management (RMM) software deployed in the targeted organization,” the researchers said.

Researchers said the framework shares similarities with the Iran-aligned groups, tracked as MuddyWater and Lyceum, but introduces a more flexible malware architecture. Cavern is built on a shared .NET codebase and combines multiple compilation formats, including .NET Framework, .NET Mixed-Mode C++/CLI, and .NET Native Ahead-of-Time (AOT).

The attack abuses SysAid's software update feature to trigger a DLL side-loading chain. This loads a trojanized uxtheme.dll, which serves as the main Cavern Agent. The agent then loads a communication module called n-HTCommp.dll, which connects to the attackers' C&C server over HTTPS or WebSocket to download additional malware modules as needed.

Check Point found five modules used for post-compromise activities, including file management, SQL database enumeration, Active Directory reconnaissance, LDAP brute-force attempts, and other tasks.

The framework also uses different .NET compilation targets across its components. Modules such as mhm.dll, db.dll, and ode.dll are compiled as standard .NET Framework assemblies, while n-HTCommp.dll, n-ten.dll, and n-sws.dll use Native AOT compilation. The uxtheme.dll agent combines managed .NET code with native C++ in a single executable.

A built-in module dispatcher determines how each component is loaded. DLLs with names beginning with "n-" are treated as native libraries and loaded through the Windows LoadLibraryA API, while other modules are loaded as managed .NET assemblies using AppDomain isolation.

Researchers also observed the threat actor using compromised IT providers as footholds, moving through a second provider before reaching the final target organization.

“In several cases, a compromised IT supplier was not the final objective, but rather the first hop toward a higher-value target. By abusing trusted access relationships, the operators were able to move across organizational boundaries while blending into legitimate administrative workflows,” the report noted.


Back to the list