A threat actor known as Leafminer has been targeting Middle Eastern public and private sector organisations since at least early 2017, according to researchers at Symantec.
Symantec characterises the group as primarily using publicly available techniques and tools for their attacks, employing a range of methods including brute force/dictionary login attempts, scans of network services online, and exploiting watering-hole websites. Credentials, emails, files and databases are all among the information gone after by the group.
Leafminer’s primary targets are financial and government organisations, with petrochemicals coming in a close third. Symantec’s detection telemetry seems to show that the region most affected is Saudi Arabia, followed by Lebanon: of the 44 systems the researchers found to be infected with Leafminer-related malware and other tools, 28 were in Saudi Arabia, 8 in Lebanon, 3 in Israel and 1 in Kuwait. 4 were in unknown countries.
Symantec recently discovered a server used by Leafminer to host its arsenal of malware and tools, as well as details resulting from vulnerability scans. The server could be accessed via a public web shell, which is a modification of the PhpSpy backdoor and references the author ‘MagicCoder’. In researching this handle, Symantec’s team found that it is linked to Iran, with references appearing on the Iranian hacking forum Ashiyane and in the handiwork of Iranian hacker group Sun Army.
A list of 809 targets used by the attackers for vulnerability scans indicates that targeted regions include Saudi Arabia, United Arab Emirates, Qatar, Kuwait, Bahrain, Egypt, Israel, and Afghanistan. Lebanon’s absence from this list is potentially interesting, though Lebanese websites are among those used for watering hole attacks.
The researchers also noted that Leafminer generally seems to operate by re-using the exploits and techniques of other threat actors. The group’s compromised web server was found to be hosting several public proof-of-concept exploits and exploitation tools.
Re-used exploits include the Fuzzbunch framework used by the Shadow Brokers, for which Leafminer has developed exploit payloads exploiting SMB vulnerabilities described by Microsoft. The group has also been observed using EternalBlue and scanning for the Heartbleed vulnerability, and one of the custom tools it uses (which it calls ‘OrangeTeghal’) is simply a rebranded version of Mimikatz. Following the discussion of Process Doppelgänging, a detection evasion technique first discussed at the Black Hat EU conference last year, it also began using this technique, and the researchers noted that the compromise of watering hole websites seems to mimic techniques used by Dragonfly.
“Leafminer’s eagerness to learn from others suggests some inexperience on the part of the attackers, a conclusion that’s supported by the group’s poor operational security,” said the researchers. “It made a major blunder in leaving a staging server publicly accessible, exposing the group’s entire arsenal of tools. That one misstep provided us with a valuable trove of intelligence to help us better defend our customers against further Leafminer attacks.”
For more information on Leafminer’s methods, and a list of indicators of compromise, check out Symantec’s full report.