S1150 ROADSWEEP
ROADSWEEP is a ransomware that was deployed against Albanian government networks during HomeLand Justice along with the CHIMNEYSWEEP backdoor.1
| Item | Value |
|---|---|
| ID | S1150 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 08 August 2024 |
| Last Modified | 09 August 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | ROADSWEEP has been placed in the start up folder to trigger execution upon user login.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | ROADSWEEP can open cmd.exe to enable command execution.12 |
| enterprise | T1486 | Data Encrypted for Impact | ROADSWEEP can RC4 encrypt content in blocks on targeted systems.132 |
| enterprise | T1491 | Defacement | - |
| enterprise | T1491.001 | Internal Defacement | ROADSWEEP has dropped ransom notes in targeted folders prior to encrypting the files.2 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | ROADSWEEP can decrypt embedded scripts prior to execution.13 |
| enterprise | T1480 | Execution Guardrails | ROADSWEEP requires four command line arguments to execute correctly, otherwise it will produce a message box and halt execution.132 |
| enterprise | T1083 | File and Directory Discovery | ROADSWEEP can enumerate files on infected devices and avoid encrypting files with .exe, .dll, .sys, .lnk, or . lck extensions.132 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | ROADSWEEP can use embedded scripts to remove itself from the infected host.12 |
| enterprise | T1490 | Inhibit System Recovery | ROADSWEEP has the ability to disable SystemRestore and Volume Shadow Copies.13 |
| enterprise | T1559 | Inter-Process Communication | ROADSWEEP can pipe command output to a targeted process.1 |
| enterprise | T1680 | Local Storage Discovery | ROADSWEEP can enumerate logical drives on targeted devices.12 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.013 | Encrypted/Encoded File | The ROADSWEEP binary contains RC4 encrypted embedded scripts.132 |
| enterprise | T1120 | Peripheral Device Discovery | ROADSWEEP can identify removable drives attached to the victim’s machine.1 |
| enterprise | T1489 | Service Stop | ROADSWEEP can disable critical services and processes.1 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | ROADSWEEP has been digitally signed with a certificate issued to the Kuwait Telecommunications Company KSC.3 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1001 | HEXANE | HEXANE probed victim infrastructure in support of HomeLand Justice.2 |
References
-
Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024. ↩↩↩↩↩↩↩↩↩↩
-
CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024. ↩↩↩↩↩↩↩