Skip to content

G0077 Leafminer

Leafminer is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017. 2

Item Value
ID G0077
Associated Names Raspite
Version 2.4
Created 17 October 2018
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Raspite 1

Techniques Used

Domain ID Name Use
enterprise T1110 Brute Force -
enterprise T1110.003 Password Spraying Leafminer used a tool called Total SMB BruteForcer to perform internal password spraying.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.007 JavaScript Leafminer infected victims using JavaScript code.2
enterprise T1136 Create Account -
enterprise T1136.001 Local Account Leafminer used a tool called Imecab to set up a persistent remote access account on the victim machine.2
enterprise T1555 Credentials from Password Stores Leafminer used several tools for retrieving login and password information, including LaZagne.2
enterprise T1555.003 Credentials from Web Browsers Leafminer used several tools for retrieving login and password information, including LaZagne.2
enterprise T1189 Drive-by Compromise Leafminer has infected victims using watering holes.2
enterprise T1114 Email Collection -
enterprise T1114.002 Remote Email Collection Leafminer used a tool called MailSniper to search through the Exchange server mailboxes for keywords.2
enterprise T1083 File and Directory Discovery Leafminer used a tool called MailSniper to search for files on the desktop and another utility called Sobolsoft to extract attachments from EML files.2
enterprise T1046 Network Service Discovery Leafminer scanned network services to search for vulnerabilities in the victim system.2
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.010 Command Obfuscation Leafminer obfuscated scripts that were used on victim machines.2
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Leafminer has obtained and used tools such as LaZagne, Mimikatz, PsExec, and MailSniper.2
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Leafminer used several tools for retrieving login and password information, including LaZagne and Mimikatz.2
enterprise T1003.004 LSA Secrets Leafminer used several tools for retrieving login and password information, including LaZagne.2
enterprise T1003.005 Cached Domain Credentials Leafminer used several tools for retrieving login and password information, including LaZagne.2
enterprise T1055 Process Injection -
enterprise T1055.013 Process Doppelgänging Leafminer has used Process Doppelgänging to evade security software while deploying tools on compromised systems.2
enterprise T1018 Remote System Discovery Leafminer used Microsoft’s Sysinternals tools to gather detailed information about remote systems.2
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files Leafminer used several tools for retrieving login and password information, including LaZagne.2

Software

ID Name References Techniques
S0349 LaZagne 2 Keychain:Credentials from Password Stores Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores /etc/passwd and /etc/shadow:OS Credential Dumping LSA Secrets:OS Credential Dumping LSASS Memory:OS Credential Dumping Proc Filesystem:OS Credential Dumping Cached Domain Credentials:OS Credential Dumping Credentials In Files:Unsecured Credentials
S0413 MailSniper 2 Email Account:Account Discovery Password Spraying:Brute Force Remote Email Collection:Email Collection
S0002 Mimikatz 2 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S0029 PsExec 2 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services

References

  1. Dragos, Inc. (2018, August 2). RASPITE. Retrieved November 26, 2018. 

  2. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.