Operation Cleaver Iran is the next China. Numerous references inside the namespaces of their custom bot code codenamed TinyZbot e.g.: e:\projects\cleaver\trunk\zhoupin_cleaver\obj\x86\release\netscp.pdb.
Presentation on theme: "Operation Cleaver Iran is the next China. Numerous references inside the namespaces of their custom bot code codenamed TinyZbot e.g.: e:\projects\cleaver\trunk\zhoupin_cleaver\obj\x86\release\netscp.pdb."— Presentation transcript:
Numerous references inside the namespaces of their custom bot code codenamed TinyZbot e.g.: e:\projects\cleaver\trunk\zhoupin_cleaver\obj\x86\release\netscp.pdb PDBs associated with the hacker name “Jimbp” e.g.: c:\users\jimbp\desktop\binder_1 - for cleaver\binder_1\obj\x86\release\setup.pdb PDBs associated with the keystroke loggers, artifacts, and numerous other tools, e.g.: e:\Projects\Cleaver\trunk\MainModule\obj\Release\MainModule.pdb Why “Cleaver”? The name…
Prior to 2010, Iran as a target was almost non-existent and as the attacker mentioned only in terms of website defacement In 2010, Stuxnet was realized, severely impacting Iran’s Nuclear program Retaliation began… Cleaver is an Iranian born campaign dating to 2012, with some data from 2007. Since Shamoon, we have witnessed an evolution of skillset and threat actor IRAN CYBER ATTACKS Exposing Cleaver…
Sourcing Iranian GeoIP Location: Iran Net block: 18.104.22.168 - 22.214.171.124 Owner: Tarh Andishan Email: tarh.andishan(at)yahoo.com Phone: +98-21-22496658 NIC-Handle: TAR1973-RIPE Tarh Andishan – meaning “Innovators”, “Inventors” 126.96.36.199/27 – Current – Afranet, Iran 188.8.131.52/28 - 10/22/2014 – Afranet, Iran 184.108.40.206/29 - 10/5/2014 – Afranet, Middle East Oil, Iran 220.127.116.11/24 – 11/2012 – Afranet, Iran The logger module binary’s file description value is the following: ye file khube DG. ba in ham kari nadashte bashin Roughly translated from Persian, this text says: DG is a good file, don’t bother with this Starting Nmap 6.25 at 2012-08-17 09:18 Iran Daylight Time Netafraz.com infrastructure in Iran Persian hacker names: Salman Ghazikhani, Bahman Mohebbi, Kaj, Parviz, Alireza, etc.
IranRedline.org In one of IranRedLine.org’s blog posts, the author speculates on Tarh Andishan’s involvement with the Iranian government by showing close proximity to SPND, the Organization of Defensive Innovation and Research Sourcing Tarh Andishan
Escalation and Pivoting Tools and Toys… Public: Netcat, Cain & Abel, psexec, Mimikatz, WCE, Putty, Plink, nmap, xcmd, etc. Custom: TinyZbot, NetC, ASPX webshells, SYN flooder, ARP poisoning, Csext, etc. Exploits: MS08-067 (Conficker) and MS10-015 (KiTrap0D)
Signing encryption keys for major airline company Usernames and passwords from dozens of companies 250k Windows credentials at a single Oil company Airport and Airline crew credentials Airport network configuration files SNMP credentials for major Energy Companies Student information targeting Access and Exfil The damage…
Resources “Operation Cleaver” Report Cylance Blog Twitter: @cylanceinc Twitter: @hackingexposed Email: opcleaver@Cylance.com for more information Yara rules on Cylance.com Test Drive CylancePROTECT: my.cylance.com