Presentation is loading. Please wait.

Presentation is loading. Please wait.

Operation Cleaver Iran is the next China. Numerous references inside the namespaces of their custom bot code codenamed TinyZbot e.g.: e:\projects\cleaver\trunk\zhoupin_cleaver\obj\x86\release\netscp.pdb.

Similar presentations

Presentation on theme: "Operation Cleaver Iran is the next China. Numerous references inside the namespaces of their custom bot code codenamed TinyZbot e.g.: e:\projects\cleaver\trunk\zhoupin_cleaver\obj\x86\release\netscp.pdb."— Presentation transcript:

1 Operation Cleaver Iran is the next China

2 Numerous references inside the namespaces of their custom bot code codenamed TinyZbot e.g.: e:\projects\cleaver\trunk\zhoupin_cleaver\obj\x86\release\netscp.pdb PDBs associated with the hacker name “Jimbp” e.g.: c:\users\jimbp\desktop\binder_1 - for cleaver\binder_1\obj\x86\release\setup.pdb PDBs associated with the keystroke loggers, artifacts, and numerous other tools, e.g.: e:\Projects\Cleaver\trunk\MainModule\obj\Release\MainModule.pdb Why “Cleaver”? The name…

3 Targeting of Critical infrastructure globally. Shocking Level of access. Network. Systems. Applications. Databases. DNS. Paypal. GoDaddy. Basically Everything. Why Now? Exposing Cleaver…

4 Prior to 2010, Iran as a target was almost non-existent and as the attacker mentioned only in terms of website defacement In 2010, Stuxnet was realized, severely impacting Iran’s Nuclear program Retaliation began… Cleaver is an Iranian born campaign dating to 2012, with some data from 2007. Since Shamoon, we have witnessed an evolution of skillset and threat actor IRAN CYBER ATTACKS Exposing Cleaver…


6 Sourcing Iranian GeoIP Location: Iran Net block: - Owner: Tarh Andishan Email: tarh.andishan(at) Phone: +98-21-22496658 NIC-Handle: TAR1973-RIPE Tarh Andishan – meaning “Innovators”, “Inventors” – Current – Afranet, Iran - 10/22/2014 – Afranet, Iran - 10/5/2014 – Afranet, Middle East Oil, Iran – 11/2012 – Afranet, Iran The logger module binary’s file description value is the following: ye file khube DG. ba in ham kari nadashte bashin Roughly translated from Persian, this text says: DG is a good file, don’t bother with this Starting Nmap 6.25 at 2012-08-17 09:18 Iran Daylight Time infrastructure in Iran Persian hacker names: Salman Ghazikhani, Bahman Mohebbi, Kaj, Parviz, Alireza, etc.

7 In one of’s blog posts, the author speculates on Tarh Andishan’s involvement with the Iranian government by showing close proximity to SPND, the Organization of Defensive Innovation and Research Sourcing Tarh Andishan

8 TTPs SQL Injection http://localhost/Demos/demo.cfm?Edit%26ID=111;declare%20@b1%20varchar(8000);set%20@ b1=%20show advanced options;declare%20@b2%20varchar(8000);set%20@b2=%20xp_ cmdshell;%20EXEC%20master.dbo.sp_configure%20@b1,%201;RECONFIGURE;EXEC%20master.dbo.sp_configure%20@b2,%201;RECONFIGURE;--%20 http://localhost/Demos/demo.cfm?Edit%26ID=111;declare%20@b1%20varchar(8000);set%20@ b1=%20ftp -A;%20exec%20master..xp_cmdshell%20@b1--%2

9 TTPs Spearphishing: fake resume tool

10 TTPs Spearphishing: Resume Submitter

11 Escalation and Pivoting Tools and Toys… Public: Netcat, Cain & Abel, psexec, Mimikatz, WCE, Putty, Plink, nmap, xcmd, etc. Custom: TinyZbot, NetC, ASPX webshells, SYN flooder, ARP poisoning, Csext, etc. Exploits: MS08-067 (Conficker) and MS10-015 (KiTrap0D)

12 Signing encryption keys for major airline company Usernames and passwords from dozens of companies 250k Windows credentials at a single Oil company Airport and Airline crew credentials Airport network configuration files SNMP credentials for major Energy Companies Student information targeting Access and Exfil The damage…

13 Indicators of Compromise (IOCs) Let’s go hunting… or preferably PREVENTING! Domains doosan-job(dot)com downloadsservers(dot)com drivercenterupdate(dot)com easyresumecreatorpro(dot)com googleproductupdate(dot)com googleproductupdate(dot)net kundenpflege.menrad(dot)de microsoftactiveservices(dot)com microsoftmiddleast(dot)com microsoftonlineupdates(dot)com microsoftserverupdate(dot)com microsoftupdateserver(dot)net microsoftwindowsresources(dot)com microsoftwindowsupdate(dot)net northropgrumman(dot)net teledyne-jobs(dot)com windowscentralupdate(dot)com windowssecurityupdate(dot)com windowsserverupdate(dot)com windowsupdateserver(dot)com www.gesunddurchsjahr(dot)de Emails for Domain Registration davejsmith200(at) salman.ghazikhani(at) btr.8624(at) ghanbarianco(at) azlinux73(at) domain(at) tarh.andishan(at) ahmadi(at) kafe0(at) dg_co(at) zahiry_alireza(at) zahiry.alireza(at) Emails used for Exfiltration testmail_00001(at) TerafficAnalyzer(at) dyanachear(at) Mutexes ZSC1 Adobe Report Service Bmgr Dynamic Mutexes demdaramdidam ILoveThisMutex Installed Services Names COM+ System Extentions COM__System_Extentions Network Connectivity Manager Service1 MsNetMonitor Pcapins scManagerSvc CredentialSync Adobe Report Service IP Addresses

14 Resources “Operation Cleaver” Report Cylance Blog Twitter: @cylanceinc Twitter: @hackingexposed Email: for more information Yara rules on Test Drive CylancePROTECT:

Download ppt "Operation Cleaver Iran is the next China. Numerous references inside the namespaces of their custom bot code codenamed TinyZbot e.g.: e:\projects\cleaver\trunk\zhoupin_cleaver\obj\x86\release\netscp.pdb."

Similar presentations

Ads by Google