Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack. [1]

ID: G0043
Version: 1.0

Techniques Used

EnterpriseT1107File DeletionMalware used by Group5 is capable of remotely deleting files from victims.[1]
EnterpriseT1056Input CaptureMalware used by Group5 is capable of capturing keystrokes.[1]
EnterpriseT1027Obfuscated Files or InformationGroup5 disguised its malicious binaries with several layers of obfuscation, including encrypting the files.[1]
EnterpriseT1113Screen CaptureMalware used by Group5 is capable of watching the victim's screen.[1]
EnterpriseT1045Software PackingGroup5 packed an executable by base64 encoding the PE file and breaking it up into numerous lines.[1]
EnterpriseT1065Uncommonly Used PortGroup5 C2 servers communicated with malware over TCP 8081, 8282, and 8083.[1]