[Unnamed group]  (Back to overview)

Over the last few weeks, several significant leaks regarding a number of Iranian APTs took place. After analyzing and investigating the documents we conclude that they are authentic. Consequently, this causes considerable harm to the groups and their operation. The identity of the actor behind the leak is currently unknown, however based on the scope and the quality of the exposed documents and information, it appears that they are professional and highly capable. This leak will likely hamstring the groups' operation in the near future. Accordingly, in our assessment this will minimize the risk of potential attacks in the next few months and possibly even year. Note -most of the leaks are posted on Telegram channels that were created specifically for this purpose. Below are the three main Telegram groups on which the leaks were posted: Lab Dookhtegam pseudonym ("The people whose lips are stitched and sealed" –translation from Persian) –In this channel attack tools attributed to the group 'OilRig' were leaked; including a webshell that was inserted into the Technion, various tools that were used for DNS attacks, and more. Green Leakers–In this channel attack tools attributed to the group 'MuddyWatter' were leaked. The group's name and its symbol are identified with the "green movement", which led the protests in Iran after the Presidential elections in 2009. These protests were heavily repressed by the revolutionary guards (IRGC) Black Box–Unlike the previous two channels this has been around for a long time. On Friday May 5th, dozens of confidential documents labeled as "secret" (a high confidentiality level in Iran, one before the highest -top secret) were posted on this channel. The documents were related to Iranian attack groups' activity.

---

Associated Families

---

References

2022-09-06 ⋅ CISA ⋅ US-CERT, FBI, CISA, MS-ISAC @online{uscert:20220906:alert:4058a6d, author = {US-CERT and FBI and CISA and MS-ISAC}, title = {{Alert (AA22-249A) #StopRansomware: Vice Society}}, date = {2022-09-06}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-249a}, language = {English}, urldate = {2022-09-16} } Alert (AA22-249A) #StopRansomware: Vice Society Cobalt Strike Empire Downloader FiveHands HelloKitty SystemBC Zeppelin

2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC) @online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT

2022-03-21 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU) @online{tru:20220321:conti:507fdf9, author = {eSentire Threat Response Unit (TRU)}, title = {{Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered}}, date = {2022-03-21}, organization = {eSentire}, url = {https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire}, language = {English}, urldate = {2022-05-23} } Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered HelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID

2021-11-30 ⋅ Symantec ⋅ Symantec Threat Hunter Team @online{team:20211130:yanluowang:538b90c, author = {Symantec Threat Hunter Team}, title = {{Yanluowang: Further Insights on New Ransomware Threat}}, date = {2021-11-30}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue}, language = {English}, urldate = {2022-09-20} } Yanluowang: Further Insights on New Ransomware Threat BazarBackdoor Cobalt Strike FiveHands

2021-11-30 ⋅ Bleeping Computer ⋅ Ionut Ilascu @online{ilascu:20211130:yanluowang:9cc8a2f, author = {Ionut Ilascu}, title = {{Yanluowang ransomware operation matures with experienced affiliates}}, date = {2021-11-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/yanluowang-ransomware-operation-matures-with-experienced-affiliates/}, language = {English}, urldate = {2021-11-30} } Yanluowang ransomware operation matures with experienced affiliates FiveHands

2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team @techreport{team:20210815:ransomware:f799696, author = {Threat Hunter Team}, title = {{The Ransomware Threat}}, date = {2021-08-15}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf}, language = {English}, urldate = {2021-12-15} } The Ransomware Threat Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker

2021-06-28 ⋅ CrowdStrike ⋅ Alexandru Ghita @online{ghita:20210628:new:85c558c, author = {Alexandru Ghita}, title = {{New Ransomware Variant Uses Golang Packer}}, date = {2021-06-28}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/}, language = {English}, urldate = {2021-06-29} } New Ransomware Variant Uses Golang Packer FiveHands HelloKitty

2021-06-15 ⋅ NCC Group ⋅ NCC RIFT, Michael Matthews, William Backhouse @online{rift:20210615:handy:b76df78, author = {NCC RIFT and Michael Matthews and William Backhouse}, title = {{Handy guide to a new Fivehands ransomware variant}}, date = {2021-06-15}, organization = {NCC Group}, url = {https://research.nccgroup.com/2021/06/15/handy-guide-to-a-new-fivehands-ransomware-variant/}, language = {English}, urldate = {2021-06-16} } Handy guide to a new Fivehands ransomware variant FiveHands

2021-06-08 ⋅ Kaspersky ⋅ Boris Larin, Costin Raiu, Alexey Kulaev @online{larin:20210608:puzzlemaker:43c7dfa, author = {Boris Larin and Costin Raiu and Alexey Kulaev}, title = {{PuzzleMaker attacks with Chrome zero-day exploit chain}}, date = {2021-06-08}, organization = {Kaspersky}, url = {https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/}, language = {English}, urldate = {2021-06-16} } PuzzleMaker attacks with Chrome zero-day exploit chain Chainshot puzzlemaker

2021-05-13 ⋅ Blackberry ⋅ BlackBerry Threat Research and Intelligence Team @online{team:20210513:threat:15f6212, author = {BlackBerry Threat Research and Intelligence Team}, title = {{Threat Thursday: SombRAT — Always Leave Yourself a Backdoor}}, date = {2021-05-13}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/05/threat-thursday-sombrat-always-leave-yourself-a-backdoor}, language = {English}, urldate = {2021-05-19} } Threat Thursday: SombRAT — Always Leave Yourself a Backdoor SombRAT

2021-05-06 ⋅ CISA ⋅ CISA @online{cisa:20210506:analysis:9b259c7, author = {CISA}, title = {{Analysis Report: FiveHands Ransomware}}, date = {2021-05-06}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a}, language = {English}, urldate = {2021-05-08} } Analysis Report: FiveHands Ransomware FiveHands

2021-05-06 ⋅ CISA ⋅ CISA @online{cisa:20210506:mar103247841v1:408b7aa, author = {CISA}, title = {{MAR-10324784-1.v1: FiveHands Ransomware}}, date = {2021-05-06}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126b}, language = {English}, urldate = {2021-05-08} } MAR-10324784-1.v1: FiveHands Ransomware FiveHands

2021-04-29 ⋅ FireEye ⋅ Tyler McLellan, Justin Moore, Raymond Leong @online{mclellan:20210429:unc2447:2ad0d96, author = {Tyler McLellan and Justin Moore and Raymond Leong}, title = {{UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat}}, date = {2021-04-29}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html}, language = {English}, urldate = {2022-03-07} } UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat Cobalt Strike FiveHands HelloKitty

2020-11-12 ⋅ Blackberry ⋅ BlackBerry Research and Intelligence team @online{team:20201112:costaricto:1d1b0c8, author = {BlackBerry Research and Intelligence team}, title = {{The CostaRicto Campaign: Cyber-Espionage Outsourced}}, date = {2020-11-12}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced}, language = {English}, urldate = {2020-11-19} } The CostaRicto Campaign: Cyber-Espionage Outsourced SombRAT

2019-05 ⋅ ClearSky ⋅ ClearSky Research Team @techreport{team:201905:iranian:536dc45, author = {ClearSky Research Team}, title = {{Iranian Nation-State APT Groups 'Black Box' Leak}}, date = {2019-05}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2019/05/Iranian-Nation-State-APT-Leak-Analysis-and-Overview.pdf}, language = {English}, urldate = {2019-12-24} } Iranian Nation-State APT Groups 'Black Box' Leak [Unnamed group]

---

Credits: MISP Project