1. Home
  2. Groups
  3. Leafminer

Leafminer

Leafminer is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017. [1]

ID: G0077
Associated Groups: Raspite
Version: 2.4
Created: 17 October 2018
Last Modified: 22 March 2023

Associated Group Descriptions

Name Description
Raspite

[2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1555 从密码存储中获取凭证

Leafminer used several tools for retrieving login and password information, including LaZagne.[1]
.003 Credentials from Web Browsers

Leafminer used several tools for retrieving login and password information, including LaZagne.[1]
Enterprise T1136 .001 创建账户: Local Account

Leafminer used a tool called Imecab to set up a persistent remote access account on the victim machine.[1]
Enterprise T1059 .007 命令与脚本解释器: JavaScript

Leafminer infected victims using JavaScript code.[1]
Enterprise T1003 .001 操作系统凭证转储: LSASS Memory

Leafminer used several tools for retrieving login and password information, including LaZagne and Mimikatz.[1]
.004 操作系统凭证转储: LSA Secrets

Leafminer used several tools for retrieving login and password information, including LaZagne.[1]
.005 操作系统凭证转储: Cached Domain Credentials

Leafminer used several tools for retrieving login and password information, including LaZagne.[1]
Enterprise T1083 文件和目录发现

Leafminer used a tool called MailSniper to search for files on the desktop and another utility called Sobolsoft to extract attachments from EML files.[1]
Enterprise T1110 .003 暴力破解: Password Spraying

Leafminer used a tool called Total SMB BruteForcer to perform internal password spraying.[1]
Enterprise T1552 .001 未加密凭证: Credentials In Files

Leafminer used several tools for retrieving login and password information, including LaZagne.[1]
Enterprise T1189 浏览器攻击

Leafminer has infected victims using watering holes.[1]
Enterprise T1027 .010 混淆文件或信息: Command Obfuscation

Leafminer obfuscated scripts that were used on victim machines.[1]
Enterprise T1114 .002 电子邮件收集: Remote Email Collection

Leafminer used a tool called MailSniper to search through the Exchange server mailboxes for keywords.[1]
Enterprise T1046 网络服务发现

Leafminer scanned network services to search for vulnerabilities in the victim system.[1]
Enterprise T1588 .002 获取能力: Tool

Leafminer has obtained and used tools such as LaZagne, Mimikatz, PsExec, and MailSniper.[1]
Enterprise T1055 .013 进程注入: Process Doppelgänging

Leafminer has used Process Doppelgänging to evade security software while deploying tools on compromised systems.[1]

Enterprise T1018 远程系统发现

Leafminer used Microsoft’s Sysinternals tools to gather detailed information about remote systems.[1]

Software

ID Name References Techniques
S0349 LaZagne [1] 从密码存储中获取凭证: Windows Credential Manager, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证, 从密码存储中获取凭证: Keychain, 操作系统凭证转储: LSA Secrets, 操作系统凭证转储: /etc/passwd and /etc/shadow, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Cached Domain Credentials, 操作系统凭证转储: Proc Filesystem, 未加密凭证: Credentials In Files
S0413 MailSniper [1] 暴力破解: Password Spraying, 电子邮件收集: Remote Email Collection, 账号发现: Email Account
S0002 Mimikatz [1] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0029 PsExec [1] 创建或修改系统进程: Windows Service, 创建账户: Domain Account, 横向工具传输, 系统服务: Service Execution, 远程服务: SMB/Windows Admin Shares

References

  1. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  1. Dragos, Inc. (2018, August 2). RASPITE. Retrieved November 26, 2018.