Cleaver

Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. [1] Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). [2]

ID: G0003
Associated Groups: Threat Group 2889, TG-2889
Version: 1.1
Created: 31 May 2017
Last Modified: 30 March 2020

Associated Group Descriptions

Name Description
Threat Group 2889 [2]
TG-2889 [2]

Techniques Used

Domain ID Name Use
PRE-ATT&CK T1341 Build social network persona

Cleaver created fake LinkedIn profiles.[2]

PRE-ATT&CK T1345 Create custom payloads

Cleaver has created customized tools and payloads for functions including ARP poisoning, encryption, credential dumping, ASP.NET shells, web backdoors, process enumeration, WMI querying, HTTP and SMB communications, network interface sniffing, and keystroke logging.[1]

PRE-ATT&CK T1342 Develop social network persona digital footprint

Cleaver fake personas included profile photos, details, and network connections.[2]

PRE-ATT&CK T1313 Obfuscation or cryptography

Cleaver has used zhCat to encrypt traffic or use inline obfuscation to make detection more difficult. zhCat makes message traffic look benign.[1]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Cleaver has been known to dump credentials using Mimikatz and Windows Credential Editor.[1]

Software

ID Name References Techniques
S0002 Mimikatz

[1]

Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0056 Net Crawler

[1]

Brute Force: Password Cracking, OS Credential Dumping: LSASS Memory, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0029 PsExec

[1]

Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0004 TinyZBot

[1]

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Clipboard Data, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Impair Defenses: Disable or Modify Tools, Input Capture: Keylogging, Screen Capture

References