Type to search

Cyberwar
Tags: , ,

Leafminer used to spy on Middle Eastern Regions

August 6, 2018

Researchers at Symantec have published their findings on a new cyberespionage campaign being carried out on the Middle East. The threat-actor, Leafminer, has been attacking government organizations and business verticals since 2017. The group’s bag of tools include publicly available techniques and the results of experiments with publicly available proof-of-concept exploits. Entry vectors include watering hole sites, network service scans for vulnerabilities, and brute-force or dictionary-based network login attempts.

Targets seem to be email data, files, and database servers.

A compromised web server, e-qht.az, was found to be a distributor of Leafminer’s malware, payloads, and tools used by infected hosts.

In June of 2018, a subdirectory containing 112 files was found on the server, accessible by the Internet.

The files were comprised of malware and tools, but also contained uploaded log files from vulnerability scanners and post-compromise types of tools. A modification of a backdoor called PhpSpy was in play. Believed to have been written by an individual that calls himself MagicCoder, that name has ties and references back to an Iranian hacking forum Ashiyane and to an Iranian hacker group Sun Army.

Targeted Countries

  • Afghanistan
  • Bahrain
  • Egypt
  • Israel
  • Kuwait
  • Qatar
  • Saudi Arabia
  • United Arab Emirates

Targeted Industries

  • Airlines
  • Construction
  • Energy – Petrochemical
  • Energy – Utility
  • Financial
  • Food Services
  • Government
  • Security Services
  • Shipping and Transportation
  • Telecom

Recommendations

  • Keep applications and operating systems running at the current released patch level
  • Ensure anti-virus software and associated files are up to date
  • Verify, through a separate channel, the legitimacy of any unsolicited email attachments – delete without opening if you can’t validate
  • Search for existing signs of the indicated IOCs in your environment
  • Block all URL and IP based IoCs at the firewall, IDS, web gateways, routers or other perimeter-based devices

More information: 

  • https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east
  • https://exchange.xforce.ibmcloud.com/collection/Leafminer-Spying-on-Middle-Eastern-Regions-788ff67aec87c948a2ea8c73e0bec373
Tweet
Share
Pin
Share
+1
0 Shares
Tags:
Previous Article
Next Article
Cyberwarzone

Cyberwarzone is the number one cyberwar news provider. We have been publishing cyberwar news since 2010 and we are still running.

The news which has been collected is available for everyone and it will stay like that. All the cyberwar reports, videos, posts and comments are here to inform you about the cyberwar and security field.

Cryptocurrency