Presentation is loading. Please wait.

Presentation is loading. Please wait.

Operation Cleaver Iran is the next China. Numerous references inside the namespaces of their custom bot code codenamed TinyZbot e.g.: e:\projects\cleaver\trunk\zhoupin_cleaver\obj\x86\release\netscp.pdb.

Similar presentations


Presentation on theme: "Operation Cleaver Iran is the next China. Numerous references inside the namespaces of their custom bot code codenamed TinyZbot e.g.: e:\projects\cleaver\trunk\zhoupin_cleaver\obj\x86\release\netscp.pdb."— Presentation transcript:

1 Operation Cleaver Iran is the next China

2 Numerous references inside the namespaces of their custom bot code codenamed TinyZbot e.g.: e:\projects\cleaver\trunk\zhoupin_cleaver\obj\x86\release\netscp.pdb PDBs associated with the hacker name “Jimbp” e.g.: c:\users\jimbp\desktop\binder_1 - for cleaver\binder_1\obj\x86\release\setup.pdb PDBs associated with the keystroke loggers, artifacts, and numerous other tools, e.g.: e:\Projects\Cleaver\trunk\MainModule\obj\Release\MainModule.pdb Why “Cleaver”? The name…

3 Targeting of Critical infrastructure globally. Shocking Level of access. Network. Systems. Applications. Databases. DNS. Paypal. GoDaddy. Basically Everything. Why Now? Exposing Cleaver…

4 Prior to 2010, Iran as a target was almost non-existent and as the attacker mentioned only in terms of website defacement In 2010, Stuxnet was realized, severely impacting Iran’s Nuclear program Retaliation began… Cleaver is an Iranian born campaign dating to 2012, with some data from Since Shamoon, we have witnessed an evolution of skillset and threat actor IRAN CYBER ATTACKS Exposing Cleaver…

5

6 Sourcing Iranian GeoIP Location: Iran Net block: Owner: Tarh Andishan tarh.andishan(at)yahoo.com Phone: NIC-Handle: TAR1973-RIPE Tarh Andishan – meaning “Innovators”, “Inventors” /27 – Current – Afranet, Iran / /22/2014 – Afranet, Iran / /5/2014 – Afranet, Middle East Oil, Iran /24 – 11/2012 – Afranet, Iran The logger module binary’s file description value is the following: ye file khube DG. ba in ham kari nadashte bashin Roughly translated from Persian, this text says: DG is a good file, don’t bother with this Starting Nmap 6.25 at :18 Iran Daylight Time Netafraz.com infrastructure in Iran Persian hacker names: Salman Ghazikhani, Bahman Mohebbi, Kaj, Parviz, Alireza, etc.

7 IranRedline.org In one of IranRedLine.org’s blog posts, the author speculates on Tarh Andishan’s involvement with the Iranian government by showing close proximity to SPND, the Organization of Defensive Innovation and Research Sourcing Tarh Andishan

8 TTPs SQL Injection b1=%20show advanced b1=%20ftp -A

9 TTPs Spearphishing: fake resume tool

10 TTPs Spearphishing: Resume Submitter

11 Escalation and Pivoting Tools and Toys… Public: Netcat, Cain & Abel, psexec, Mimikatz, WCE, Putty, Plink, nmap, xcmd, etc. Custom: TinyZbot, NetC, ASPX webshells, SYN flooder, ARP poisoning, Csext, etc. Exploits: MS (Conficker) and MS (KiTrap0D)

12 Signing encryption keys for major airline company Usernames and passwords from dozens of companies 250k Windows credentials at a single Oil company Airport and Airline crew credentials Airport network configuration files SNMP credentials for major Energy Companies Student information targeting Access and Exfil The damage…

13 Indicators of Compromise (IOCs) Let’s go hunting… or preferably PREVENTING! Domains doosan-job(dot)com downloadsservers(dot)com drivercenterupdate(dot)com easyresumecreatorpro(dot)com googleproductupdate(dot)com googleproductupdate(dot)net kundenpflege.menrad(dot)de microsoftactiveservices(dot)com microsoftmiddleast(dot)com microsoftonlineupdates(dot)com microsoftserverupdate(dot)com microsoftupdateserver(dot)net microsoftwindowsresources(dot)com microsoftwindowsupdate(dot)net northropgrumman(dot)net teledyne-jobs(dot)com windowscentralupdate(dot)com windowssecurityupdate(dot)com windowsserverupdate(dot)com windowsupdateserver(dot)com s for Domain Registration davejsmith200(at)outlook.com salman.ghazikhani(at)outlook.com btr.8624(at)yahoo.com ghanbarianco(at)gmail.com azlinux73(at)gmail.com domain(at)netafraz.com tarh.andishan(at)yahoo.com ahmadi(at)odeconline.com kafe0(at)yahoo.com dg_co(at)yahoo.com zahiry_alireza(at)yahoo.com zahiry.alireza(at)gmail.com s used for Exfiltration testmail_00001(at)yahoo.com TerafficAnalyzer(at)yahoo.com dyanachear(at)beyondsys.com Mutexes ZSC1 Adobe Report Service Bmgr Dynamic Mutexes demdaramdidam ILoveThisMutex Installed Services Names COM+ System Extentions COM__System_Extentions Network Connectivity Manager Service1 MsNetMonitor Pcapins scManagerSvc CredentialSync Adobe Report Service IP Addresses

14 Resources “Operation Cleaver” Report Cylance Blog for more information Yara rules on Cylance.com Test Drive CylancePROTECT: my.cylance.com


Download ppt "Operation Cleaver Iran is the next China. Numerous references inside the namespaces of their custom bot code codenamed TinyZbot e.g.: e:\projects\cleaver\trunk\zhoupin_cleaver\obj\x86\release\netscp.pdb."

Similar presentations


Ads by Google