Security Market Segment LS
Monday, 30 July 2018 08:26

New Iran-based APT uses NSA exploits in its malware arsenal


A newly discovered threat actor or advanced persistent threat, that is targeting government and private sector organisations in the Middle East, is using NSA exploits leaked by the Shadow Brokers in April last year as part of its arsenal of threats, the security firm Symantec claims.

Named Leafminer by the company, Symantec said it was using publicly available techniques and tools for attacking targets and also experimenting with published proof-of-concept exploits.

The company said judging by its findings, the threat actor appeared to be based in Iran.


Industry verticals targeted by Leafminer.

"Leafminer attempts to infiltrate target networks through various means of intrusion: watering hole websites, vulnerability scans of network services on the Internet, and brute-force/dictionary login attempts," researchers from the Symantec Response Attack Investigation Team wrote in a blog post.

"The actor’s post-compromise toolkit suggests that the group is looking for email data, files, and database servers on compromised target systems."

The team said they been lucky that a download URL for a malware payload used in one attack enabled the identification of a compromised Web server on the domain that had been used to distribute Leafminer's arsenal.

Investigations were said to have shown that the malware and custom tools used by Leafminer had targeted 44 systems across four regions in the Middle East. A list of 809 targets that were subjected to vulnerability scans was in Farsi, and listed each entry with its organisation of interest and industry.


The countries targeted were Saudi Arabia, United Arab Emirates, Qatar, Kuwait, Bahrain, Egypt, Israel, and Afghanistan.

The Symantec team said the compromised Web server hosted a number of public proof-of-concept exploits and exploitation tools.

"This included the Fuzzbunch framework that was part of an infamous leak of exploits and tools by the Shadow Brokers in April 2017," they wrote. "Leafminer has developed exploit payloads for this framework that deliver custom malware through attacks against SMB vulnerabilities described by Microsoft.

"The EternalBlue exploit from the framework received worldwide attention after being used in the ransomware campaigns WannaCry in May and Petya/NotPetya in June 2017. The Leafminer operators use EternalBlue to attempt lateral movement within target networks from compromised staging servers."

Symantec said it also observed attempts by Leafminer to scan for the Heartbleed vulnerability from an attacker-controlled IP address. The Leafminer arsenal server also had a Python script that scanned for this vulnerability.

While Leafminer was keeping in touch with developments and trying to take advantage of newer exploits, Symantec said its "eagerness to learn from others suggests some inexperience on the part of the attackers, a conclusion that’s supported by the group’s poor operational security".

"It made a major blunder in leaving a staging server publicly accessible, exposing the group’s entire arsenal of tools. That one misstep provided us with a valuable trove of intelligence to help us better defend our customers against further Leafminer attacks."

Graphics: courtesy Symantec


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments