Leafminer

Leafminer is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017. [1]

ID: G0077
Associated Groups: Raspite
Version: 2.2
Created: 17 October 2018
Last Modified: 23 June 2020

Associated Group Descriptions

Name Description
Raspite

[2]

Techniques Used

Domain ID Name Use
Enterprise T1110 .003 Brute Force: Password Spraying

Leafminer used a tool called Total SMB BruteForcer to perform internal password spraying.[1]

Enterprise T1059 .007 Command and Scripting Interpreter: JavaScript

Leafminer infected victims using JavaScript code.[1]

Enterprise T1136 .001 Create Account: Local Account

Leafminer used a tool called Imecab to set up a persistent remote access account on the victim machine.[1]

Enterprise T1555 Credentials from Password Stores

Leafminer used several tools for retrieving login and password information, including LaZagne.[1]

.003 Credentials from Web Browsers

Leafminer used several tools for retrieving login and password information, including LaZagne.[1]

Enterprise T1189 Drive-by Compromise

Leafminer has infected victims using watering holes.[1]

Enterprise T1114 .002 Email Collection: Remote Email Collection

Leafminer used a tool called MailSniper to search through the Exchange server mailboxes for keywords.[1]

Enterprise T1083 File and Directory Discovery

Leafminer used a tool called MailSniper to search for files on the desktop and another utility called Sobolsoft to extract attachments from EML files.[1]

Enterprise T1046 Network Service Scanning

Leafminer scanned network services to search for vulnerabilities in the victim system.[1]

Enterprise T1027 Obfuscated Files or Information

Leafminer obfuscated scripts that were used on victim machines.[1]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Leafminer used several tools for retrieving login and password information, including LaZagne and Mimikatz.[1]

.004 OS Credential Dumping: LSA Secrets

Leafminer used several tools for retrieving login and password information, including LaZagne.[1]

.005 OS Credential Dumping: Cached Domain Credentials

Leafminer used several tools for retrieving login and password information, including LaZagne.[1]

Enterprise T1055 .013 Process Injection: Process Doppelgänging

Leafminer has used Process Doppelgänging to evade security software while deploying tools on compromised systems.[1]

Enterprise T1018 Remote System Discovery

Leafminer used Microsoft’s Sysinternals tools to gather detailed information about remote systems.[1]

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

Leafminer used several tools for retrieving login and password information, including LaZagne.[1]

Software

ID Name References Techniques
S0349 LaZagne [1] Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Keychain, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, OS Credential Dumping: Cached Domain Credentials, OS Credential Dumping: Proc Filesystem, OS Credential Dumping: /etc/passwd and /etc/shadow, Unsecured Credentials: Credentials In Files
S0413 MailSniper [1] Account Discovery: Email Account, Brute Force: Password Spraying, Email Collection: Remote Email Collection
S0002 Mimikatz [1] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0029 PsExec [1] Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution

References