Lebanese Cedar

Lebanese Cedar, aka Volatile Cedar, is a Lebanese APT that was linked to the Hezbollah, was first discovered by Check Point researchers and Kaspersky labs in 2015. According to Check Point researchers, the APT has been operating since at least 2012.

In January 2021, ClearSky researchers published a report regarding the latest campaign related to Lebanese Cedar which started in early 2020. According to the researchers, this APT targeted the telecommunication sector and internet service providers in the US, the UK, Israel, Egypt, Saudi Arabia, Lebanon, Jordan, UAE as well as in the Palestinian Authority.

In this campaign, Lebanese Cedar operators used open-source hacking tools to scan the internet for unpatched Atlassian and Oracle servers. They deployed exploits to gain access to these servers and installed a web shell for future access. In order to attack the internet-facing servers, the hackers used these vulnerabilities:

  • CVE-2019-3396 in Atlassian Confluence
  • CVE-2019-11581in Atlassian Jira
  • CVE-2012-3152 in Oracle Fusion

Once they gained access to these systems, the attackers deployed web shells in order to gain access to their victim's internal networks. On the internal networks, the attackers deployed a more powerful tool named the Explosive remote access trojan (RAT), a tool that specializes in data exfiltration and which they also used in 2015: https://news.softpedia.com/news/Explosive-Malware-Used-by-Cyber-Espionage-Group-Working-from-Lebanon-477220.shtml.

Explosive RAT has both passive collection methods and on-demand capabilities. Once installed, the tool continuously runs a keylogger and a clipboard logger, which transmit the results to the C&C server. In addition, Explosive has a wide array of options that can be activated by a C&C command, including a variety of data theft and machine fingerprinting capabilities, stealth and self-destruction functions, proliferation options, and a remote shell. The creators of Explosive went to great lengths to assure operational stealth to protect against exposure, including memory usage monitoring, process listing, and more.