Currently viewing ATT&CK v15.1 which is the current version of ATT&CK. Learn more about the versioning system or see the live site.
ATT&CKcon 5.0 returns October 22-23, 2024 in McLean, VA. Stay tuned for registration details!
  1. Home
  2. Groups
  3. Leafminer

Leafminer

Leafminer is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017. [1]

ID: G0077
Associated Groups: Raspite
Version: 2.4
Created: 17 October 2018
Last Modified: 22 March 2023

Associated Group Descriptions

Name Description
Raspite

[2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1110 .003 Brute Force: Password Spraying

Leafminer used a tool called Total SMB BruteForcer to perform internal password spraying.[1]
Enterprise T1059 .007 Command and Scripting Interpreter: JavaScript

Leafminer infected victims using JavaScript code.[1]
Enterprise T1136 .001 Create Account: Local Account

Leafminer used a tool called Imecab to set up a persistent remote access account on the victim machine.[1]
Enterprise T1555 Credentials from Password Stores

Leafminer used several tools for retrieving login and password information, including LaZagne.[1]
.003 Credentials from Web Browsers

Leafminer used several tools for retrieving login and password information, including LaZagne.[1]
Enterprise T1189 Drive-by Compromise

Leafminer has infected victims using watering holes.[1]
Enterprise T1114 .002 Email Collection: Remote Email Collection

Leafminer used a tool called MailSniper to search through the Exchange server mailboxes for keywords.[1]
Enterprise T1083 File and Directory Discovery

Leafminer used a tool called MailSniper to search for files on the desktop and another utility called Sobolsoft to extract attachments from EML files.[1]
Enterprise T1046 Network Service Discovery

Leafminer scanned network services to search for vulnerabilities in the victim system.[1]
Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

Leafminer obfuscated scripts that were used on victim machines.[1]
Enterprise T1588 .002 Obtain Capabilities: Tool

Leafminer has obtained and used tools such as LaZagne, Mimikatz, PsExec, and MailSniper.[1]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Leafminer used several tools for retrieving login and password information, including LaZagne and Mimikatz.[1]
.004 OS Credential Dumping: LSA Secrets

Leafminer used several tools for retrieving login and password information, including LaZagne.[1]
.005 OS Credential Dumping: Cached Domain Credentials

Leafminer used several tools for retrieving login and password information, including LaZagne.[1]
Enterprise T1055 .013 Process Injection: Process Doppelgänging

Leafminer has used Process Doppelgänging to evade security software while deploying tools on compromised systems.[1]

Enterprise T1018 Remote System Discovery

Leafminer used Microsoft’s Sysinternals tools to gather detailed information about remote systems.[1]
Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

Leafminer used several tools for retrieving login and password information, including LaZagne.[1]

Software

ID Name References Techniques
S0349 LaZagne [1] Credentials from Password Stores: Windows Credential Manager, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Keychain, OS Credential Dumping: LSA Secrets, OS Credential Dumping: /etc/passwd and /etc/shadow, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Cached Domain Credentials, OS Credential Dumping: Proc Filesystem, Unsecured Credentials: Credentials In Files
S0413 MailSniper [1] Account Discovery: Email Account, Brute Force: Password Spraying, Email Collection: Remote Email Collection
S0002 Mimikatz [1] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0029 PsExec [1] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution

References

  1. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  1. Dragos, Inc. (2018, August 2). RASPITE. Retrieved November 26, 2018.