SYMBOLCOMMON_NAMEaka. SYNONYMS

[Unnamed group]  (Back to overview)


Over the last few weeks, several significant leaks regarding a number of Iranian APTs took place. After analyzing and investigating the documents we conclude that they are authentic. Consequently, this causes considerable harm to the groups and their operation. The identity of the actor behind the leak is currently unknown, however based on the scope and the quality of the exposed documents and information, it appears that they are professional and highly capable. This leak will likely hamstring the groups' operation in the near future. Accordingly, in our assessment this will minimize the risk of potential attacks in the next few months and possibly even year. Note -most of the leaks are posted on Telegram channels that were created specifically for this purpose. Below are the three main Telegram groups on which the leaks were posted: Lab Dookhtegam pseudonym ("The people whose lips are stitched and sealed" –translation from Persian) –In this channel attack tools attributed to the group 'OilRig' were leaked; including a webshell that was inserted into the Technion, various tools that were used for DNS attacks, and more. Green Leakers–In this channel attack tools attributed to the group 'MuddyWatter' were leaked. The group's name and its symbol are identified with the "green movement", which led the protests in Iran after the Presidential elections in 2009. These protests were heavily repressed by the revolutionary guards (IRGC) Black Box–Unlike the previous two channels this has been around for a long time. On Friday May 5th, dozens of confidential documents labeled as "secret" (a high confidentiality level in Iran, one before the highest -top secret) were posted on this channel. The documents were related to Iranian attack groups' activity.


Associated Families
win.fivehands win.puzzlemaker win.sombrat

References
2021-06-28CrowdStrikeAlexandru Ghita
@online{ghita:20210628:new:85c558c, author = {Alexandru Ghita}, title = {{New Ransomware Variant Uses Golang Packer}}, date = {2021-06-28}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/}, language = {English}, urldate = {2021-06-29} } New Ransomware Variant Uses Golang Packer
FiveHands HelloKitty
2021-06-16FireEyeTyler McLellan, Robert Dean, Justin Moore, Nick Harbour, Mike Hunhoff, Jared Wilson
@online{mclellan:20210616:smoking:fa6559d, author = {Tyler McLellan and Robert Dean and Justin Moore and Nick Harbour and Mike Hunhoff and Jared Wilson}, title = {{Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise}}, date = {2021-06-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html}, language = {English}, urldate = {2021-06-21} } Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise
Cobalt Strike FiveHands
2021-06-15NCC GroupNCC RIFT, Michael Matthews, William Backhouse
@online{rift:20210615:handy:b76df78, author = {NCC RIFT and Michael Matthews and William Backhouse}, title = {{Handy guide to a new Fivehands ransomware variant}}, date = {2021-06-15}, organization = {NCC Group}, url = {https://research.nccgroup.com/2021/06/15/handy-guide-to-a-new-fivehands-ransomware-variant/}, language = {English}, urldate = {2021-06-16} } Handy guide to a new Fivehands ransomware variant
FiveHands
2021-06-08KasperskyBoris Larin, Costin Raiu, Alexey Kulaev
@online{larin:20210608:puzzlemaker:43c7dfa, author = {Boris Larin and Costin Raiu and Alexey Kulaev}, title = {{PuzzleMaker attacks with Chrome zero-day exploit chain}}, date = {2021-06-08}, organization = {Kaspersky}, url = {https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/}, language = {English}, urldate = {2021-06-16} } PuzzleMaker attacks with Chrome zero-day exploit chain
Chainshot puzzlemaker
2021-05-13BlackberryBlackBerry Threat Research and Intelligence Team
@online{team:20210513:threat:15f6212, author = {BlackBerry Threat Research and Intelligence Team}, title = {{Threat Thursday: SombRAT — Always Leave Yourself a Backdoor}}, date = {2021-05-13}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/05/threat-thursday-sombrat-always-leave-yourself-a-backdoor}, language = {English}, urldate = {2021-05-19} } Threat Thursday: SombRAT — Always Leave Yourself a Backdoor
SombRAT
2021-05-06CISACISA
@online{cisa:20210506:mar103247841v1:408b7aa, author = {CISA}, title = {{MAR-10324784-1.v1: FiveHands Ransomware}}, date = {2021-05-06}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126b}, language = {English}, urldate = {2021-05-08} } MAR-10324784-1.v1: FiveHands Ransomware
FiveHands
2021-05-06CISACISA
@online{cisa:20210506:analysis:9b259c7, author = {CISA}, title = {{Analysis Report: FiveHands Ransomware}}, date = {2021-05-06}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a}, language = {English}, urldate = {2021-05-08} } Analysis Report: FiveHands Ransomware
FiveHands
2021-04-29FireEyeTyler McLellan, Justin Moore, Raymond Leong
@online{mclellan:20210429:unc2447:2ad0d96, author = {Tyler McLellan and Justin Moore and Raymond Leong}, title = {{UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat}}, date = {2021-04-29}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html}, language = {English}, urldate = {2021-09-09} } UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat
FiveHands HelloKitty
2020-11-12BlackberryBlackBerry Research and Intelligence team
@online{team:20201112:costaricto:1d1b0c8, author = {BlackBerry Research and Intelligence team}, title = {{The CostaRicto Campaign: Cyber-Espionage Outsourced}}, date = {2020-11-12}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced}, language = {English}, urldate = {2020-11-19} } The CostaRicto Campaign: Cyber-Espionage Outsourced
SombRAT
2019-05ClearSkyClearSky Research Team
@techreport{team:201905:iranian:536dc45, author = {ClearSky Research Team}, title = {{Iranian Nation-State APT Groups 'Black Box' Leak}}, date = {2019-05}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2019/05/Iranian-Nation-State-APT-Leak-Analysis-and-Overview.pdf}, language = {English}, urldate = {2019-12-24} } Iranian Nation-State APT Groups 'Black Box' Leak
[Unnamed group]

Credits: MISP Project