Clues say group activates within Iran's borders

Aug 3, 2016 23:35 GMT  ·  By

A new cyber-espionage group operating using infrastructure based in Iran has been targeting Syrian dissidents since late 2015, according to new research unveiled by Citizen Lab.

Researchers named this new APT Group5 because it was the fifth cyber-espionage crew they discovered targeting Syrian dissidents after the Syrian Electronic Army, ISIS-linked hackers, a Lebanon-linked group, and the Assad regime itself.

Group5 operates using Iranian infrastructure

Citizen Lab says it was alerted to the group's existence after Noura Al-Ameer, former Vice President of the opposition Syrian National Council (SNC), had received a suspicious email.

Going down the rabbit hole, Citizen Lab researchers found the Group5 infrastructure entirely hosted on the servers of Iranian ISPs.

According to a technical analysis of the campaign, Group5 utilized spear-phishing emails to distribute malware-laced files and links to malicious websites where targets were exposed to drive-by downloads that infected their computer with malware or tried to trick users into installing the malware themselves.

Targets were infected with njRat, NanoCore, and DroidJack

The group operated mainly through one website, assadcrimes[.]info, to which the researchers managed to gain access. This site was used to lure victims into download malicious Windows and Android applications containing RATs (Remote Access Trojans).

Group5 used the njRat and NanoCore malware to target Windows users, and the DroidJack RAT to target Android devices.

In the campaign they've detected, Citizen Lab says the group used malicious PowerPoint files with the spear-phishing campaign that tried to install RATs on the victim's PC using malicious OLE objects or the CVE-2014-4114 exploit embedded in the email attachment.

Malware linked to Mr. Tekide, Iranian-based malware developer

Based on the TTPs (Tactics, Techniques, and Procedures) the group had deployed, Citizen Lab claims that Group5 could be related to Infy, an APT activating from within Iran's borders.

Besides using infrastructure hosted in Iran, security researchers also explain they found Persian language texts in the malware's code and references to Mr. Tekide, an Iranian malware developer.

"We cannot conclude with certainty that Group5 is Iran-based, although the confluence of information outlined above provides a circumstantial case," Citizen Lab notes.

Group5 modus operandi
Group5 modus operandi

Photo Gallery (3 Images)

Threat actors activating in Syria
Group5 modus operandiGroup5 malware
Open gallery