Named Leafminer by the company, Symantec said it was using publicly available techniques and tools for attacking targets and also experimenting with published proof-of-concept exploits.
The company said judging by its findings, the threat actor appeared to be based in Iran.
Industry verticals targeted by Leafminer.
"Leafminer attempts to infiltrate target networks through various means of intrusion: watering hole websites, vulnerability scans of network services on the Internet, and brute-force/dictionary login attempts," researchers from the Symantec Response Attack Investigation Team wrote in a blog post.
The team said they been lucky that a download URL for a malware payload used in one attack enabled the identification of a compromised Web server on the e-qht.az domain that had been used to distribute Leafminer's arsenal.
Investigations were said to have shown that the malware and custom tools used by Leafminer had targeted 44 systems across four regions in the Middle East. A list of 809 targets that were subjected to vulnerability scans was in Farsi, and listed each entry with its organisation of interest and industry.
The countries targeted were Saudi Arabia, United Arab Emirates, Qatar, Kuwait, Bahrain, Egypt, Israel, and Afghanistan.
The Symantec team said the compromised Web server hosted a number of public proof-of-concept exploits and exploitation tools.
"This included the Fuzzbunch framework that was part of an infamous leak of exploits and tools by the Shadow Brokers in April 2017," they wrote. "Leafminer has developed exploit payloads for this framework that deliver custom malware through attacks against SMB vulnerabilities described by Microsoft.
"The EternalBlue exploit from the framework received worldwide attention after being used in the ransomware campaigns WannaCry in May and Petya/NotPetya in June 2017. The Leafminer operators use EternalBlue to attempt lateral movement within target networks from compromised staging servers."
Symantec said it also observed attempts by Leafminer to scan for the Heartbleed vulnerability from an attacker-controlled IP address. The Leafminer arsenal server also had a Python script that scanned for this vulnerability.
While Leafminer was keeping in touch with developments and trying to take advantage of newer exploits, Symantec said its "eagerness to learn from others suggests some inexperience on the part of the attackers, a conclusion that’s supported by the group’s poor operational security".
"It made a major blunder in leaving a staging server publicly accessible, exposing the group’s entire arsenal of tools. That one misstep provided us with a valuable trove of intelligence to help us better defend our customers against further Leafminer attacks."
Graphics: courtesy Symantec