G0130 Ajax Security Team
Ajax Security Team is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 Ajax Security Team transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.1
| Item | Value |
|---|---|
| ID | G0130 |
| Associated Names | Operation Woolen-Goldfish, AjaxTM, Rocket Kitten, Flying Kitten, Operation Saffron Rose |
| Version | 1.0 |
| Created | 14 April 2021 |
| Last Modified | 17 December 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Group Descriptions
| Name | Description |
|---|---|
| Operation Woolen-Goldfish | Analysis of infrastructure, tools, and modes of operation revealed a potential relationship between Ajax Security Team and the campaign Operation Woolen-Goldfish.23 |
| AjaxTM | 1 |
| Rocket Kitten | Analysis of infrastructure, tools, and modes of operation revealed a potential relationship between Ajax Security Team and Rocket Kitten.24 |
| Flying Kitten | 5 |
| Operation Saffron Rose | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | Ajax Security Team has used FireMalv custom-developed malware, which collected passwords from the Firefox browser storage.2 |
| enterprise | T1105 | Ingress Tool Transfer | Ajax Security Team has used Wrapper/Gholee, custom-developed malware, which downloaded additional malware to the infected system.2 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | Ajax Security Team has used CWoolger and MPK, custom-developed malware, which recorded all keystrokes on an infected system.2 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | Ajax Security Team has used personalized spearphishing attachments.2 |
| enterprise | T1566.003 | Spearphishing via Service | Ajax Security Team has used various social media channels to spearphish victims.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | Ajax Security Team has lured victims into executing malicious files.1 |
Software
| ID | Name | References | Techniques |
|---|---|---|---|
| S0224 | Havij | 2 | Exploit Public-Facing Application |
| S0225 | sqlmap | 2 | Exploit Public-Facing Application |
References
-
Villeneuve, N. et al.. (2013). OPERATION SAFFRON ROSE . Retrieved May 28, 2020. ↩↩↩↩↩
-
Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018. ↩↩↩↩↩↩↩↩
-
Cedric Pernet, Kenney Lu. (2015, March 19). Operation Woolen-Goldfish - When Kittens Go phishing. Retrieved April 21, 2021. ↩
-
Iran Threats . (2017, December 5). Flying Kitten to Rocket Kitten, A Case of Ambiguity and Shared Code. Retrieved May 28, 2020. ↩
-
Dahl, M.. (2014, May 13). Cat Scratch Fever: CrowdStrike Tracks Newly Reported Iranian Actor as FLYING KITTEN. Retrieved May 27, 2020. ↩