Volatile Cedar, a cybercriminal group affiliated with the Hezbollah Cyber Unit, has resurfaced after disappearing for almost 6 years.
The criminal group was suddenly illuminated on the radar after suspicious activity on Oracle and Atlassian servers was discovered.
Volatile cedar breached unpatched Atlassian and Oracle servers by exploiting the following vulnerabilities - CVE-2012-3152, CVE-2019-11581, and CVE-2019-3396.
These attacks were reconnaissance campaigns to learn the strategies and behaviors of specific enemies.
The net was wide, covering the United States, Egypt, Jordan, the United Kingdom, Saudi Arabia, Europe, the UAE, and even the Palestinian Authority. The targets were telecommunication companies and the intelligence breached included client call records amongst other private data.
Volatile Cedar’s operations were strategically ordered to amplify the geographical range between them and evade detection. Other evasion tactics included shifting the attack surface from computer to public servers and using common web shell utilities rather than other detectable tools.
These clever concealment practices suggest that the group may have remained active during the last 6 years leaving behind only heavily obfuscated trails.
But the group has finally left a calling card - a remote access tool exclusive to Volatile Cedar known as “Explosive RAT.
“Explosive RAT” is an updated version of the trojan “Explosive”, also developed by the criminal group. This trojan is usually deployed via a compromised open-source JSP file browser.
The Explosive RAT trojan has been specifically designed for sensitive data theft and corporate espionage. It has also been engineered to reflect Volatile’s characteristic evasion tactics. One such example is memory usage monitoring to avoid suspicious processing allocations.
Volatile Cedar’s crimes uncovers a concerning progression in Hezbollah’s hacking capabilities - not only have their methods evolved, they’re now also developing their own tools.