Cleaver

Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. [1] Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). [2]

ID: G0003
Aliases: Cleaver, Threat Group 2889, TG-2889
Version: 1.0

Alias Descriptions

NameDescription
Cleaver[1]
Threat Group 2889[2]
TG-2889[2]

Techniques Used

DomainIDNameUse
PRE-ATT&CKT1341Build social network personaCleaver created fake LinkedIn profiles.[2]
PRE-ATT&CKT1345Create custom payloadsCleaver has created customized tools and payloads for functions including ARP poisoning, encryption, credential dumping, ASP.NET shells, web backdoors, process enumeration, WMI querying, HTTP and SMB communications, network interface sniffing, and keystroke logging.[1]
PRE-ATT&CKT1342Develop social network persona digital footprintCleaver's fake personas included profile photos, details, and network connections.[2]
PRE-ATT&CKT1313Obfuscation or cryptographyCleaver has used zhCat to encrypt traffic or use inline obfuscation to make detection more difficult. zhCat makes message traffic look benign.[1]
EnterpriseT1003Credential DumpingCleaver has been known to dump credentials.[1]

Software

IDNameTechniques
S0002MimikatzAccount Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0056Net CrawlerBrute Force, Credential Dumping, Service Execution, Windows Admin Shares
S0029PsExecService Execution, Windows Admin Shares
S0004TinyZBotClipboard Data, Command-Line Interface, Disabling Security Tools, Input Capture, New Service, Registry Run Keys / Startup Folder, Screen Capture, Shortcut Modification

References