True hackers use such open-source tools
Symantec has discovered the activity of a cybercriminal group called Leafminer, whose attacks from the beginning of 2017 are targeted at government, financial, petrochemical, transport, aviation, energy, security and other organizations in the Middle East. The most troublesome are Saudi Arabia, Israel, Qatar, Kuwait, Egypt and other countries that are located in this geographical region.
The report reads that the Leafminer group adapts its techniques and tools to the chosen goal, and interestingly, the majority of the software detected by Symantec, which is used for attacks and exfiltration, are well-known open source tools for Github users that are available to both parties conflict.
During the investigation, the experts reached a server hosting more than 100 catalogs, which was poorly protected. The site contained a modification of the backside webshella in PHP (PhpSpy), which was probably written by the MagicCoder user. In turn, MagicCoder leads to the Iranian hockey forum Ashiyane, as well as to the infiltrated group of Sun Army hackers.
In addition to the malware, tools and log files were found there that contained information from the vulnerability scan. The Leafminer hacker group apparently has a tendency to use publicly available tools, including published exploited PoCs. Attack techniques include:
- Attacks tactics involving the victim being infected by a victim (often a victim of a waterhole).
- Techniques and tools for scanning network services that are exposed to the world.
- Attempts to break the credentials with a popular brute-force (dictionaries with logins and passwords after recent data leaks are not missing).
Symantec claims that the code that was used in one of the attacks leads to a hacked web server in the "e-qht.az" domain. This is the side of the Azerbaijan Support Council, which was used to distribute pests. Two types of malware (Trojan.Imecab and Backdoor.Sorg) are further identified and used by the Leafminer group, including DLLs as droppers or programs that execute specific commands on the infected system. Also found legal installation files .NET Framework 2.0 SP2, which were required to run the modified tools - among them there are those that are used to:
- increase of entitlements (MSF Retto Potato),
- search for credentials (Mimikatz),
- dictionary attacks (TCH Hydra),
- remote launch of commands (SysInternals PsExec),
- vulnerability scanning (Router Scan),
- extracting attachments from EML mail files (Sobolsoft Extract Attachments),
- exporting SQL databases (SysTool SQL Backup Recovery),
- disk cloning (Disk Backup),
- searching files on your desktop (Vidtools Everything).
Users and companies are encouraged to read our practical computer security guide . Everyone will find something interesting there, including information on how to monitor critical system areas in the event of similar attacks.
In the report, Symantec publishes detailed infection indicators and domains that can be useful when searching and securing systems.
Add new comment
Learn more about our offer
We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.