The target victims include companies from many countries, including the United States, United Kingdom, Saudi Arabia, Egypt, Jordan, Lebanon, Israel and the Palestinian Authority. Valuable information was stolen over periods of months and years, ClearSky researchers wrote in a blog posted.
The security firm, which first detected suspicious activity in early 2020, said the attack was based on a modified JSP file browser with a unique string that the adversary used to deploy “Explosive” V4 Remote Access Tool (RAT) or “Caterpillar” V2 WebShell in the victims’ networks. The file was installed in vulnerable Atlassian Jira and Oracle 10g servers. Lebanese Cedar exploited 1-day publicly known vulnerabilities such as CVE-2012-3152 to install the JSP in vulnerable servers.
The APT group – also referred to as “Volatile Cedar” – has been operating since 2012 and has kept a low profile, flying under the radar, since 2015 when its operations were first discovered by CheckPoint researchers and Kaspersky Labs.
ClearSky agrees with CheckPoint’s initial report that Lebanese Cedar APT is motivated by political and ideological interests, targeting individuals, companies and institutions worldwide and has strong ties to the Lebanese government or a political group in Lebanon.
The Lebanese group’s attacks started by using known vulnerabilities on public web servers, then distributing custom malware to steal files, while staying hidden, said Ivan Righi, cyber threat intelligence analyst at Digital Shadows, added that. The group has used a custom-written malware called “Explosive,” an info-stealing Trojan that the group has used since 2015, he said. The Explosive malware appears to have gone through multiple versions, usually updated to avoid antivirus detection.
“The latest campaign used a new version of Explosive with new capabilities,” Righi said. “Lebanese Cedar, or Volatile Cedar, is technically-advanced and has shown effective use of tactics, characterizing them as a high-level threat. Activity was last publicly-reported on in 2015 and is linked to the Shia Islamist political party and militant group Hezbollah. They likely conducted this campaign to support Hezbollah's motives to obtain sensitive information.”