Iranian APT33 Targets Aviation with Updated MimicC2 and PowerLess

Iranian APT Nimbus Manticore Updates Toolset for Aviation Sector Targeting

The Iranian advanced persistent threat (APT) group known as Nimbus Manticore, also identified as APT33 (or Peachpit, Shamoon), has continued its focused cyber espionage campaigns against critical infrastructure-adjacent organizations. Recent findings indicate the group has updated its operational toolkit, deploying a new custom C2 framework dubbed MimicC2 and an enhanced PowerShell execution tool, PowerLess. These sophisticated tools are primarily directed at aviation companies, defense contractors, and software firms supporting these vital sectors globally, according to SecurityWeek.

The persistence of Nimbus Manticore, even amidst geopolitical events like the US military campaign against Iran in late 2019 and early 2020, underscores the group’s dedication to its strategic objectives. The new tools demonstrate a clear evolution in their TTPs, emphasizing stealth and resilience in post-compromise activities, posing a significant threat to organizations within the Iranian APT33 aviation sector targeting scope.

Technical Analysis of MimicC2 and PowerLess

Nimbus Manticore’s latest arsenal includes two primary components designed for covert operations:

• MimicC2 Framework: This newly identified custom C2 framework, written in C#, is central to the group’s current operations. MimicC2 employs a custom encryption scheme for its network communications, making it particularly challenging for traditional security solutions to detect and analyze. Its extensive capabilities allow the threat actors to perform a wide range of post-exploitation activities, including:

  • Remote command execution
  • Arbitrary file transfer
  • Screenshot capture
  • Keylogging
  • Process enumeration
  • Service management
  • Arbitrary code execution via Reflective DLL injection

  For persistence, MimicC2 utilizes a service-based dropper that ensures the malware runs with elevated privileges, often as NT AUTHORITY\SYSTEM or NETWORK SERVICE, facilitating Privilege Escalation. It also employs Scheduled Tasks and can masquerade as legitimate processes such as svchost.exe or dns.exe to evade detection within a compromised environment.

• PowerLess (Updated PowerShell Runner): PowerLess represents an evolution of previous PowerShell execution tools used by APT33. Now implemented in C# and heavily obfuscated, PowerLess incorporates its own custom C2 mechanism, further enhancing its stealth. Its primary function is to execute arbitrary PowerShell commands on compromised systems, allowing the attackers to download and run additional malicious modules or scripts without triggering standard PowerShell logging or behavioral analysis. This tool is instrumental in facilitating various post-exploitation tasks while maintaining a low profile.

Impact and Motivation

The primary motivation behind Nimbus Manticore’s campaigns is cyber espionage, aimed at gathering sensitive information from entities closely associated with critical infrastructure sectors like aviation and defense. Compromise of these organizations can provide the Iranian government with valuable intelligence, intellectual property, or strategic advantages. The use of custom and updated tools indicates a significant investment in evading detection and achieving long-term access to target networks.

Actionable Recommendations and Mitigations

Organizations within the aviation, defense, and supporting software sectors must prioritize robust security measures to counter the evolving threat from Nimbus Manticore. Effective defense requires a multi-layered approach focusing on detection and prevention of advanced post-exploitation techniques.

Enhancing Detection and Response

• Advanced Endpoint Detection and Response (EDR): Deploy and meticulously configure EDR solutions to monitor for unusual process behavior, reflective DLL injection attempts, and suspicious PowerShell activity. EDR can be crucial in detecting Nimbus Manticore MimicC2 activity and the execution patterns of PowerLess.
• Network Traffic Analysis: Implement deep packet inspection and network flow monitoring to identify anomalies, especially custom C2 communications that deviate from expected traffic patterns. While MimicC2 uses custom encryption, behavioral analysis of network connections can still yield indicators.
• Threat Hunting: Proactively hunt for IoCs associated with APT33 and the described toolset. Look for evidence of scheduled tasks created by unknown services, processes masquerading as legitimate Windows binaries, or unusual service installations.
• SIEM and SOC Monitoring: Centralize logs from endpoints, network devices, and authentication systems into a SIEM platform. Establish robust Security Operations Center workflows for alerting and investigation of suspicious events, particularly those related to privilege elevation or lateral movement attempts.

Proactive Defense Strategies

• Application Whitelisting: Implement application whitelisting to restrict the execution of unauthorized executables and scripts, including those associated with PowerLess. This can significantly reduce the attack surface.
• Strong Authentication and Access Control: Enforce multi-factor authentication (MFA) across all services and implement the principle of least privilege. Regular audits of user accounts and permissions are essential.
• Network Segmentation: Segment networks to limit the impact of a potential breach and prevent lateral movement of threat actors. This strategy can significantly hinder the ability of MimicC2 to spread within an organization.
• Employee Training: Conduct regular security awareness training, particularly focusing on identifying sophisticated spear-phishing attempts, which remain a common initial access vector for groups like APT33.
• Zero Trust Architecture: Adopt a Zero Trust security model, continuously verifying every user and device, regardless of whether they are inside or outside the network perimeter. This approach helps in mitigating the risks posed by compromised credentials or devices.

By implementing these mitigation strategies against PowerLess malware and MimicC2, organizations can significantly enhance their defensive posture against persistent and well-resourced nation-state threat actors like Nimbus Manticore.