1. Home
  2. Groups
  3. Leafminer

Leafminer

Leafminer is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017. [1]

ID: G0077
Associated Groups: Raspite
Version: 2.4
Created: 17 October 2018
Last Modified: 22 March 2023
Version Permalink

Associated Group Descriptions

Name Description
Raspite

[2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1110 .003 Brute Force: Password Spraying

Leafminer used a tool called Total SMB BruteForcer to perform internal password spraying.[1]
Enterprise T1059 .007 Command and Scripting Interpreter: JavaScript

Leafminer infected victims using JavaScript code.[1]
Enterprise T1136 .001 Create Account: Local Account

Leafminer used a tool called Imecab to set up a persistent remote access account on the victim machine.[1]
Enterprise T1555 Credentials from Password Stores

Leafminer used several tools for retrieving login and password information, including LaZagne.[1]
.003 Credentials from Web Browsers

Leafminer used several tools for retrieving login and password information, including LaZagne.[1]
Enterprise T1189 Drive-by Compromise

Leafminer has infected victims using watering holes.[1]
Enterprise T1114 .002 Email Collection: Remote Email Collection

Leafminer used a tool called MailSniper to search through the Exchange server mailboxes for keywords.[1]
Enterprise T1083 File and Directory Discovery

Leafminer used a tool called MailSniper to search for files on the desktop and another utility called Sobolsoft to extract attachments from EML files.[1]
Enterprise T1046 Network Service Discovery

Leafminer scanned network services to search for vulnerabilities in the victim system.[1]
Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

Leafminer obfuscated scripts that were used on victim machines.[1]
Enterprise T1588 .002 Obtain Capabilities: Tool

Leafminer has obtained and used tools such as LaZagne, Mimikatz, PsExec, and MailSniper.[1]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Leafminer used several tools for retrieving login and password information, including LaZagne and Mimikatz.[1]
.004 OS Credential Dumping: LSA Secrets

Leafminer used several tools for retrieving login and password information, including LaZagne.[1]
.005 OS Credential Dumping: Cached Domain Credentials

Leafminer used several tools for retrieving login and password information, including LaZagne.[1]
Enterprise T1055 .013 Process Injection: Process Doppelgänging

Leafminer has used Process Doppelgänging to evade security software while deploying tools on compromised systems.[1]

Enterprise T1018 Remote System Discovery

Leafminer used Microsoft’s Sysinternals tools to gather detailed information about remote systems.[1]
Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

Leafminer used several tools for retrieving login and password information, including LaZagne.[1]

Software

ID Name References Techniques
S0349 LaZagne [1] Credentials from Password Stores: Windows Credential Manager, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Keychain, OS Credential Dumping: LSA Secrets, OS Credential Dumping: /etc/passwd and /etc/shadow, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Cached Domain Credentials, OS Credential Dumping: Proc Filesystem, Unsecured Credentials: Credentials In Files
S0413 MailSniper [1] Account Discovery: Email Account, Brute Force: Password Spraying, Email Collection: Remote Email Collection
S0002 Mimikatz [1] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0029 PsExec [1] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution

References

  1. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  1. Dragos, Inc. (2018, August 2). RASPITE. Retrieved November 26, 2018.