Delaware, USA – July 27, 2018 – Researchers from Symantec exposed the activities of the Leafminer hacking group allegedly linked to the Iranian government. The experts managed to gain access to one of the servers used in the group’s operations and obtain a list of Leafminer targets and their tools. Attackers have been conducting cyber espionage campaigns since the beginning of 2017 using well-known techniques and malware. They also track and quickly weaponize recently published PoC exploits. The APT group is aimed at government and financial organizations in the Middle East, they are primarily interested in credentials and access to corporate emails and databases. The researchers note that the group is not very skillful, but quickly gaining experience and adopting new techniques. In addition to the known malware and hacking tools, the group created its own backdoors and modify several tools. For example, OrangeTeghal is a malformed and obfuscated version of Mimikatz, which is installed on a system exploiting the Process Doppelgänging technique. Leafminer scans for vulnerabilities publicly accessible Web resources of targeted organizations or conduct brute force attacks to penetrate and install trojans and backdoors. Also, cybercriminals compromised a number of websites and used them to collect credentials.
The hacker group is very successful in cyber espionage operations in the Middle East, but the disclosure of their techniques and tools should help organizations better secure themselves against Leafminer attacks. Furthermore, SIEM with Mimikatz Defence Framework can detect usage of dumped credentials.