Security Market Segment LS
Monday, 30 July 2018 08:26

New Iran-based APT uses NSA exploits in its malware arsenal


A newly discovered threat actor or advanced persistent threat, that is targeting government and private sector organisations in the Middle East, is using NSA exploits leaked by the Shadow Brokers in April last year as part of its arsenal of threats, the security firm Symantec claims.

Named Leafminer by the company, Symantec said it was using publicly available techniques and tools for attacking targets and also experimenting with published proof-of-concept exploits.

The company said judging by its findings, the threat actor appeared to be based in Iran.


Industry verticals targeted by Leafminer.

"Leafminer attempts to infiltrate target networks through various means of intrusion: watering hole websites, vulnerability scans of network services on the Internet, and brute-force/dictionary login attempts," researchers from the Symantec Response Attack Investigation Team wrote in a blog post.

"The actor’s post-compromise toolkit suggests that the group is looking for email data, files, and database servers on compromised target systems."

The team said they been lucky that a download URL for a malware payload used in one attack enabled the identification of a compromised Web server on the domain that had been used to distribute Leafminer's arsenal.

Investigations were said to have shown that the malware and custom tools used by Leafminer had targeted 44 systems across four regions in the Middle East. A list of 809 targets that were subjected to vulnerability scans was in Farsi, and listed each entry with its organisation of interest and industry.


The countries targeted were Saudi Arabia, United Arab Emirates, Qatar, Kuwait, Bahrain, Egypt, Israel, and Afghanistan.

The Symantec team said the compromised Web server hosted a number of public proof-of-concept exploits and exploitation tools.

"This included the Fuzzbunch framework that was part of an infamous leak of exploits and tools by the Shadow Brokers in April 2017," they wrote. "Leafminer has developed exploit payloads for this framework that deliver custom malware through attacks against SMB vulnerabilities described by Microsoft.

"The EternalBlue exploit from the framework received worldwide attention after being used in the ransomware campaigns WannaCry in May and Petya/NotPetya in June 2017. The Leafminer operators use EternalBlue to attempt lateral movement within target networks from compromised staging servers."

Symantec said it also observed attempts by Leafminer to scan for the Heartbleed vulnerability from an attacker-controlled IP address. The Leafminer arsenal server also had a Python script that scanned for this vulnerability.

While Leafminer was keeping in touch with developments and trying to take advantage of newer exploits, Symantec said its "eagerness to learn from others suggests some inexperience on the part of the attackers, a conclusion that’s supported by the group’s poor operational security".

"It made a major blunder in leaving a staging server publicly accessible, exposing the group’s entire arsenal of tools. That one misstep provided us with a valuable trove of intelligence to help us better defend our customers against further Leafminer attacks."

Graphics: courtesy Symantec


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments