Threat Actor Profile – The Mantis Group
This is a republication of a post I originally wrote on June 8, 2023 over on my dedicated blog site that I am rolling into wonksecurity.com.
About a year ago, I did a deep-dive into the Symantec Threat Hunter Team’s research on a piece of malware called Daxin, which was used by a Chinese cyber-espionage group, to inform a tabletop exercise I was designing, so for this first cybersecurity post in quite some time, it seems fitting to return to where I got my first real experience in the world of cybersecurity by looking at another cyber-espionage group covered by the Symantec team.
Opening up shop in 2014 (though some reports suggests as early as 2011), the Mantis group targets organizations in Israel and neighboring countries in the Middle East. Also referred to as APT-C-23, the group has also recently conducted attacks against individuals in the Palestinian territories, where it is believed to be based.
Mantis employs spear-phishing and fake social media accounts to infect victims with custom versions of the Micropsia and Arid Gopher backdoor malware. While the infection vector is not known, a December 2022 attack revealed details about the group’s TTPs. Of particular note, the group utilized three different versions of their toolset. Symantec’s analysts believe this redundancy was precautionary to prevent the detection of the entire group if a single toolset was discovered on one of several compromised systems in the target’s network.
Once the attackers had access to the target systems, the Micropsia backdoor was used to establish a backdoor and persistent access to the command and control infrastructure. It was then used to introduce two versions of the Arid Gopher backdoor (one was used to replace another for unknown reasons). The attackers then deployed a custom tool to exfiltrate data from the victim’s network.
While this is just a high-level summary of the group’s latest activity, if you’re interested in reading more, you can read the whole write up from Symantec here for all the technical details, IoCs, and potential mitigations.