(Check Point) Beginning in late 2012, the carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive. This report provides an extended technical analysis of Volatile Cedar and the Explosive malware. We have seen clear evidence that Volatile Cedar has been active for almost 3 years. While many of the technical aspects of the threat are not considered “cutting edge”, the campaign has been continually and successfully operational throughout this entire timeline, evading detection by the majority of AV products. This success is due to a well-planned and carefully managed operation that constantly monitors its victims’ actions and rapidly responds to detection incidents.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
2022-10-03 by GReAT from Kaspersky Labs
2021-01-28 by ClearSky Research Team from ClearSky
2017-08-25 by Juan Andrés Guerrero-Saade from Kaspersky Labs
2015-06-09 by Check Point from Check Point
2015-03-31 by Kurt Baumgartner from Kaspersky Labs
2015-03-31 by Check Point Research from Check Point Research
2015-03-30 by Check Point from Check Point
Actor: Volatile Cedar
Names: Volatile Cedar, Dancing Salome, DeftTorero
Country: Lebanon
Sponsor: State-sponsored, Hezbollah
Motivation: Information theft and espionage
First-seen: 2012
Description: (Check Point) Beginning in late 2012, the carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive. This report provides an extended technical analysis of Volatile Cedar and the Explosive malware. We have seen clear evidence that Volatile Cedar has been active for almost 3 years. While many of the technical aspects of the threat are not considered “cutting edge”, the campaign has been continually and successfully operational throughout this entire timeline, evading detection by the majority of AV products. This success is due to a well-planned and carefully managed operation that constantly monitors its victims’ actions and rapidly responds to detection incidents.
Observed-sectors: Education
Observed-sectors: Government
Observed-sectors: Hosting
Observed-countries: Canada
Observed-countries: Egypt
Observed-countries: Israel
Observed-countries: Jordan
Observed-countries: Lebanon
Observed-countries: Russia
Observed-countries: Saudi Arabia
Observed-countries: UAE
Observed-countries: UK
Observed-countries: USA
Observed-countries: Palestinian Authority
Tools: Adminer
Tools: ASPXSpy
Tools: Caterpillar
Tools: DirBuster
Tools: Explosive
Tools: GoBuster
Tools: JuicyPotato
Tools: RottenPotato
Tools: SharPyShell
Operations: 2015-06
Operations: After going public with our findings, we were provided with a new configuration belonging to a newly discovered sample we have never seen before. https://blog.checkpoint.com/2015/06/09/new-data-volatile-cedar/
Operations: 2020 Early
Operations: In early 2020, suspicious network activities and hacking tools were found in a range of companies. https://www.clearskysec.com/cedar/
Information: https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf
Information: https://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/
Information: https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/
Mitre-attack: https://attack.mitre.org/groups/G0123/
Last-card-change: 2022-12-30
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1595.002 ACTIVE SCANNING : VULNERABILITY SCANNING volatile cedar has performed vulnerability scans of the target server. T1595.003 ACTIVE SCANNING : WORDLIST SCANNING volatile cedar has used dirbuster and gobuster to brute force web directories and dns subdomains. | T1190 EXPLOIT PUBLIC-FACING APPLICATION volatile cedar has targeted publicly facing web servers, with both automatic and manual vulnerability discovery. | T1505.003 SERVER SOFTWARE COMPONENT : WEB SHELL volatile cedar can inject web shell code into a server. |