Security News > 2021 > February > Hezbollah-Linked Lebanese Cedar APT Infiltrates Hundreds of Servers

Advanced persistent threat group Lebanese Cedar has compromised at least 250 public-facing servers since early 2020, researchers said, with its latest malware.

The group has added new features to its custom "Caterpillar" webshell and the "Explosive RAT" remote access trojan, both of which researchers at ClearSky Security said they linked to the compromise of the public servers [PDF], which allowed widespread espionage.

"In 2015, Lebanese Cedar relied mostly on Explosive RAT as their main tool. In the recent campaign, we identified multiple Caterpillar web shells and less utilization of Explosive RAT. Accordingly, we propose that the main vector of Lebanese Cedar in 2020 is utilization of web shell."

In 2015, Check Point researchers also tied the APT group to the Lebanese government.

"Known for its highly evasive, selectively targeted and carefully managed operations, Lebanese Cedar follows courses of action associated with APTs funded by nation-states or political groups," the report added.

More generally, the best bet against Lebanese Cedar and other similar threat actors is a tighter collaboration between vendors, researchers, industry groups and law enforcement, Derek Manky with Fortinet's FortiGuard Labs told Threatpost.

News URL

https://threatpost.com/hezbollah-lebanese-cedar-apt-servers/163555/