Group: Group5

From ATT&CK
Jump to: navigation, search
Group5
Group
ID G0043
Aliases Group5

Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack.1

Techniques Used

  • Software Packing - Group5 packed an executable by base64 encoding the PE file and breaking it up into numerous lines.1
  • Input Capture - Malware used by Group5 is capable of capturing keystrokes.1
  • Screen Capture - Malware used by Group5 is capable of watching the victim's screen.1
  • File Deletion - Malware used by Group5 is capable of remotely deleting files from victims.1