You are here: Home Cyberwar

Leafminer used to spy on Middle Eastern Regions

August 6, 2018 0 comment

Researchers at Symantec have published their findings on a new cyberespionage campaign being carried out on the Middle East. The threat-actor, Leafminer, has been attacking government organizations and business verticals since 2017. The group’s bag of tools include publicly available techniques and the results of experiments with publicly available proof-of-concept exploits. Entry vectors include watering hole sites, network service scans for vulnerabilities, and brute-force or dictionary-based network login attempts.

Targets seem to be email data, files, and database servers.

A compromised web server, e-qht.az, was found to be a distributor of Leafminer’s malware, payloads, and tools used by infected hosts.

In June of 2018, a subdirectory containing 112 files was found on the server, accessible by the Internet.

The files were comprised of malware and tools, but also contained uploaded log files from vulnerability scanners and post-compromise types of tools. A modification of a backdoor called PhpSpy was in play. Believed to have been written by an individual that calls himself MagicCoder, that name has ties and references back to an Iranian hacking forum Ashiyane and to an Iranian hacker group Sun Army.

Targeted Countries

  • Afghanistan
  • Bahrain
  • Egypt
  • Israel
  • Kuwait
  • Qatar
  • Saudi Arabia
  • United Arab Emirates

Targeted Industries

  • Airlines
  • Construction
  • Energy – Petrochemical
  • Energy – Utility
  • Financial
  • Food Services
  • Government
  • Security Services
  • Shipping and Transportation
  • Telecom

Recommendations

  • Keep applications and operating systems running at the current released patch level
  • Ensure anti-virus software and associated files are up to date
  • Verify, through a separate channel, the legitimacy of any unsolicited email attachments – delete without opening if you can’t validate
  • Search for existing signs of the indicated IOCs in your environment
  • Block all URL and IP based IoCs at the firewall, IDS, web gateways, routers or other perimeter-based devices

More information: 

  • https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east
  • https://exchange.xforce.ibmcloud.com/collection/Leafminer-Spying-on-Middle-Eastern-Regions-788ff67aec87c948a2ea8c73e0bec373
Previous Article
Next Article

Recommended For You

Malware Analysis Report AR18-221A: HIDDEN COBRA Trojan – KEYMARBLE

Russian Hackers Reach U.S. Utility Control Rooms, Homeland Security Officials Say

Iranians on the most wanted cyber list (Iranian Mabna Hackers)

PROMETHIUM and NEODYMIUM target individuals in Europe

Arrests Put New Focus on CARBON SPIDER Adversary

QUADAGENT: OilRig Targets Technology Service Provider and Government Agency

About the Author: CWZ

Founder of Cyberwarzone.com.