Leafminer used to spy on Middle Eastern Regions

Researchers at Symantec have published their findings on a new cyberespionage campaign being carried out on the Middle East. The threat-actor, Leafminer, has been attacking government organizations and business verticals since 2017. The group’s bag of tools include publicly available techniques and the results of experiments with publicly available proof-of-concept exploits. Entry vectors include watering hole sites, network service scans for vulnerabilities, and brute-force or dictionary-based network login attempts.

Targets seem to be email data, files, and database servers.

A compromised web server, e-qht.az, was found to be a distributor of Leafminer’s malware, payloads, and tools used by infected hosts.

In June of 2018, a subdirectory containing 112 files was found on the server, accessible by the Internet.

The files were comprised of malware and tools, but also contained uploaded log files from vulnerability scanners and post-compromise types of tools. A modification of a backdoor called PhpSpy was in play. Believed to have been written by an individual that calls himself MagicCoder, that name has ties and references back to an Iranian hacking forum Ashiyane and to an Iranian hacker group Sun Army.

Targeted Countries

  • Afghanistan
  • Bahrain
  • Egypt
  • Israel
  • Kuwait
  • Qatar
  • Saudi Arabia
  • United Arab Emirates

Targeted Industries

  • Airlines
  • Construction
  • Energy – Petrochemical
  • Energy – Utility
  • Financial
  • Food Services
  • Government
  • Security Services
  • Shipping and Transportation
  • Telecom


  • Keep applications and operating systems running at the current released patch level
  • Ensure anti-virus software and associated files are up to date
  • Verify, through a separate channel, the legitimacy of any unsolicited email attachments – delete without opening if you can’t validate
  • Search for existing signs of the indicated IOCs in your environment
  • Block all URL and IP based IoCs at the firewall, IDS, web gateways, routers or other perimeter-based devices

More information: 

  • https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east
  • https://exchange.xforce.ibmcloud.com/collection/Leafminer-Spying-on-Middle-Eastern-Regions-788ff67aec87c948a2ea8c73e0bec373