Leafminer

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Leafminer is a highly active threat actor group, primarily targeting organizations in the Middle East. The group employs various intrusion methods such as watering hole websites, vulnerability scans of network services on the internet, and brute-force/dictionary login attempts. Leafminer's arsenal includes custom tools like a rebranded version of Mimikatz and Total SMB BruteForcer for lateral movement within infiltrated systems. Their operations overlap significantly with RASPITE and have been linked to numerous attacks in the Middle East, as detailed in a recent report by Symantec. During an investigation into Leafminer's activities, breakthrough discoveries were made that helped identify the toolkit used for intrusion, lateral movement, and exfiltration. Evidence from telemetry and log files hosted publicly on the attacker's arsenal server was used to assemble a targeting profile. The compromised web server used to store Leafminer’s arsenal hosted several public proof-of-concept exploits and exploitation tools. Furthermore, commands found in a readme text stored in a ZIP archive along with the hacktool THC Hydra represented online dictionary attacks on Microsoft Exchange and Remote Desktop Protocol services of regional government servers in Saudi Arabia. Despite their activity, Leafminer exhibits signs of inexperience and poor operational security, evident in their eagerness to learn from others. A compromised web server on the domain e-qht.az was identified as a distribution point for Leafminer's malware, payloads, and tools. Customers of the DeepSight Intelligence Managed Adversary and Threat Intelligence service have received intelligence detailing the characteristics of the Leafminer cyber espionage group and methods for detecting and thwarting their activities. Notably, Leafminer has also been tracking developments in the world of cybersecurity.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Symantec
Vulnerability
Lateral Move...
Malware
Exploit
Ransomware
Loader
exploitation
Malware Payl...
Espionage
Exploits
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Reflective LoaderUnspecified
1
A reflective loader is a type of malware that can load a Dynamic Link Library (DLL) into a process, often without the user's knowledge. This technique allows the malware to execute malicious code directly from memory, making it harder for antivirus software to detect and remove it. The loader operat
ReadmeUnspecified
1
Readme is a type of malware that has been discovered to exploit and damage computer systems. It typically infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or hold data hostage for
WannaCryUnspecified
1
WannaCry is a type of malware, specifically ransomware, that caused significant global disruption in 2017. It exploited Windows SMBv1 Remote Code Execution Vulnerabilities (CVE-2017-0144, CVE-2017-0145, CVE-2017-0143), which allowed it to spread rapidly and infect over 200,000 machines across more t
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
RaspiteUnspecified
1
RASPITE is a threat actor that focuses on initial access operations within the electric utility sector and targets entities across the US, Middle East, Europe, and East Asia. Although they have not demonstrated an ICS-specific capability to date, their recent targeting focus and methodology are clea
Shadow BrokersUnspecified
1
The Shadow Brokers, a threat actor group, made headlines in the cybersecurity world for their leaks of sophisticated cyber tools believed to be developed by the Equation Group, an Advanced Persistent Threat (APT) group associated with the NSA's Tailored Access Operations unit. The most notable among
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
HeartbleedUnspecified
1
Heartbleed is a significant vulnerability (CVE-2014-0160) that was identified in the OpenSSL cryptographic software library in 2014. This flaw allows an attacker to read server memory and send additional data, leading to potential information leaks – hence the term "bleeding out data". The vulnerabi
EternalblueUnspecified
1
EternalBlue is a significant software vulnerability that exists in the design or implementation of certain systems. This flaw has been exploited by various cyber threats, with one notable instance being its use as an enabler for the widespread WannaCry ransomware attack. The exploit allows attackers
CVE-2014-0160Unspecified
1
CVE-2014-0160, commonly known as the Heartbleed vulnerability, is a significant flaw in software design or implementation that was discovered in 2014. The vulnerability lies within OpenSSL, a widely used open-source software for encrypting internet services. Despite its age, this vulnerability conti
Source Document References
Information about the Leafminer Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions
MITRE
a year ago
RASPITE | Dragos