Skip to content

G0043 Group5

Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack. 1

Item Value
ID G0043
Associated Names
Version 1.3
Created 31 May 2017
Last Modified 11 April 2024
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Malware used by Group5 is capable of remotely deleting files from victims.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Malware used by Group5 is capable of capturing keystrokes.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.013 Encrypted/Encoded File Group5 disguised its malicious binaries with several layers of obfuscation, including encrypting the files.1
enterprise T1113 Screen Capture Malware used by Group5 is capable of watching the victim’s screen.1

Software

ID Name References Techniques
S0336 NanoCore 1 Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Symmetric Cryptography:Encrypted Channel Disable or Modify System Firewall:Impair Defenses Disable or Modify Tools:Impair Defenses Ingress Tool Transfer Keylogging:Input Capture Modify Registry Obfuscated Files or Information System Network Configuration Discovery Video Capture
S0385 njRAT 1 Web Protocols:Application Layer Protocol Application Window Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Standard Encoding:Data Encoding Data from Local System Fast Flux DNS:Dynamic Resolution Exfiltration Over C2 Channel File and Directory Discovery Disable or Modify System Firewall:Impair Defenses File Deletion:Indicator Removal Clear Persistence:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Non-Standard Port Encrypted/Encoded File:Obfuscated Files or Information Compile After Delivery:Obfuscated Files or Information Peripheral Device Discovery Process Discovery Query Registry Remote Desktop Protocol:Remote Services Remote System Discovery Replication Through Removable Media Screen Capture System Information Discovery System Owner/User Discovery Video Capture

References

  1. Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.