Researchers at Symantec have published their findings on a new cyberespionage campaign being carried out on the Middle East. The threat-actor, Leafminer, has been attacking government organizations and business verticals since 2017. The group’s bag of tools include publicly available techniques and the results of experiments with publicly available proof-of-concept exploits. Entry vectors include watering hole sites, network service scans for vulnerabilities, and brute-force or dictionary-based network login attempts.
Targets seem to be email data, files, and database servers.
A compromised web server, e-qht.az, was found to be a distributor of Leafminer’s malware, payloads, and tools used by infected hosts.
In June of 2018, a subdirectory containing 112 files was found on the server, accessible by the Internet.
The files were comprised of malware and tools, but also contained uploaded log files from vulnerability scanners and post-compromise types of tools. A modification of a backdoor called PhpSpy was in play. Believed to have been written by an individual that calls himself MagicCoder, that name has ties and references back to an Iranian hacking forum Ashiyane and to an Iranian hacker group Sun Army.