Leafminer

Leafminer is a highly active threat actor group, primarily targeting organizations in the Middle East. The group employs various intrusion methods such as watering hole websites, vulnerability scans of network services on the internet, and brute-force/dictionary login attempts. Leafminer's arsenal includes custom tools like a rebranded version of Mimikatz and Total SMB BruteForcer for lateral movement within infiltrated systems. Their operations overlap significantly with RASPITE and have been linked to numerous attacks in the Middle East, as detailed in a recent report by Symantec. During an investigation into Leafminer's activities, breakthrough discoveries were made that helped identify the toolkit used for intrusion, lateral movement, and exfiltration. Evidence from telemetry and log files hosted publicly on the attacker's arsenal server was used to assemble a targeting profile. The compromised web server used to store Leafminer’s arsenal hosted several public proof-of-concept exploits and exploitation tools. Furthermore, commands found in a readme text stored in a ZIP archive along with the hacktool THC Hydra represented online dictionary attacks on Microsoft Exchange and Remote Desktop Protocol services of regional government servers in Saudi Arabia. Despite their activity, Leafminer exhibits signs of inexperience and poor operational security, evident in their eagerness to learn from others. A compromised web server on the domain e-qht.az was identified as a distribution point for Leafminer's malware, payloads, and tools. Customers of the DeepSight Intelligence Managed Adversary and Threat Intelligence service have received intelligence detailing the characteristics of the Leafminer cyber espionage group and methods for detecting and thwarting their activities. Notably, Leafminer has also been tracking developments in the world of cybersecurity.