Symantec has uncovered the operations of a threat actor named Leafminer that is targeting a broad list of government organisations and business verticals in various regions in the Middle East since at least early 2017.
The group tends to adapt publicly available techniques and tools for their attacks and experiments with published proof-of-concept exploits, according to the cybersecurity firm
Leafminer attempts to infiltrate target networks through various means of intrusion: watering hole websites, vulnerability scans of network services on the internet, and brute-force/dictionary login attempts. The actor’s post-compromise toolkit suggests that the group is looking for email data, files, and database servers on compromised target systems.
Symantec detection telemetry shows malware and custom tools used by Leafminer on 44 systems across four regions in the Middle East.
The investigation uncovered that Leafminer has a list of 809 targets used by the attackers for vulnerability scans. The list is written in the Iranian language Farsi and groups each entry with organisation of interest by geography and industry. Targeted regions included in the list are Saudi Arabia, United Arab Emirates, Qatar, Kuwait, Bahrain, Egypt, and Afghanistan.
Leafminer started with the discovery of JavaScript code on several compromised websites in the Middle East. The obfuscated code was planted by the attackers to steal SMB credential hashes that could subsequently be brute-forced offline.
Symantec highlighted that the new threat actor is a highly active group, responsible for targeting a range of organisations across the Middle East. “The group appears to be based in Iran and seems to be eager to learn from and capitalise on tools and techniques used by more advanced threat actors,” it said.
Leafminer has also been tracking developments in the world of cybersecurity. After the Heartbleed bug was disclosed it began scanning for instances of the vulnerability. It also utilised Process Doppelgänging, a detection evasion technique first discussed at the Black Hat EU conference last year.
The research showed that Leafminer’s eagerness to learn from others suggests some inexperience on the part of the attackers, a conclusion that’s supported by the group’s poor operational security. “It made a major blunder in leaving a staging server publicly accessible, exposing the group’s entire arsenal of tools. That one misstep provided us with a valuable trove of intelligence to help us better defend our customers against further Leafminer attacks,” the company said.
