MITRE ATT&CK - Преступная группа Group5

Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Наш канал

Group5

Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)

ID: G0043

Associated Groups:

Version: 1.2

Created: 31 May 2017

Last Modified: 30 Mar 2020

Name	Description
Associated Group Descriptions

Domain	ID		Name	Use
Techniques Used
Enterprise	T1070	.004	Indicator Removal: File Deletion	Malware used by Group5 is capable of remotely deleting files from victims.(Citation: Citizen Lab Group5)
Enterprise	T1056	.001	Input Capture: Keylogging	Malware used by Group5 is capable of capturing keystrokes.(Citation: Citizen Lab Group5)

ID	Name	References	Techniques
Software
S0336	NanoCore	(Citation: Citizen Lab Group5) (Citation: Cofense NanoCore Mar 2018) (Citation: DigiTrust NanoCore Jan 2017) (Citation: PaloAlto NanoCore Feb 2016) (Citation: Unit 42 Gorgon Group Aug 2018)	Ingress Tool Transfer, Windows Command Shell, System Network Configuration Discovery, Video Capture, Disable or Modify System Firewall, Obfuscated Files or Information, Audio Capture, Visual Basic, Keylogging, Modify Registry, Symmetric Cryptography, Disable or Modify Tools, Registry Run Keys / Startup Folder, Uncommonly Used Port
S0385	njRAT	(Citation: Bladabindi) (Citation: Citizen Lab Group5) (Citation: Fidelis njRAT June 2013) (Citation: FireEye Njw0rm Aug 2013) (Citation: LV) (Citation: Njw0rm) (Citation: Trend Micro njRAT 2018)	System Information Discovery, Credentials from Web Browsers, Application Window Discovery, Ingress Tool Transfer, File and Directory Discovery, Query Registry, Peripheral Device Discovery, Video Capture, Screen Capture, Native API, Remote System Discovery, File Deletion, PowerShell, Disable or Modify System Firewall, Obfuscated Files or Information, Standard Encoding, Compile After Delivery, Non-Standard Port, Replication Through Removable Media, System Owner/User Discovery, Registry Run Keys / Startup Folder, Remote Desktop Protocol, Uncommonly Used Port, Custom Command and Control Protocol, Keylogging, Web Protocols, Clear Persistence, Modify Registry, Exfiltration Over C2 Channel, Process Discovery, Fast Flux DNS, Indicator Removal, Windows Command Shell, Data from Local System

References

Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Group5

Associated Group Descriptions

Techniques Used

Software

References