Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Group5
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Group5
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Group5

Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)
ID: G0043
Associated Groups: 
Version: 1.3
Created: 31 May 2017
Last Modified: 11 Apr 2024

Associated Group Descriptions
Name Description

Techniques Used
Domain ID Name Use
Enterprise T1070 .004 Indicator Removal: File Deletion

Malware used by Group5 is capable of remotely deleting files from victims.(Citation: Citizen Lab Group5)
Enterprise T1056 .001 Input Capture: Keylogging

Malware used by Group5 is capable of capturing keystrokes.(Citation: Citizen Lab Group5)
Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Group5 disguised its malicious binaries with several layers of obfuscation, including encrypting the files.(Citation: Citizen Lab Group5)

Software
ID Name References Techniques
S0336 NanoCore (Citation: Citizen Lab Group5) (Citation: Cofense NanoCore Mar 2018) (Citation: DigiTrust NanoCore Jan 2017) (Citation: PaloAlto NanoCore Feb 2016) (Citation: Unit 42 Gorgon Group Aug 2018) Ingress Tool Transfer, Windows Command Shell, System Network Configuration Discovery, Video Capture, Disable or Modify System Firewall, Obfuscated Files or Information, Audio Capture, Visual Basic, Keylogging, Modify Registry, Symmetric Cryptography, Disable or Modify Tools, Registry Run Keys / Startup Folder, Uncommonly Used Port
S0385 njRAT (Citation: Bladabindi) (Citation: Citizen Lab Group5) (Citation: Fidelis njRAT June 2013) (Citation: FireEye Njw0rm Aug 2013) (Citation: LV) (Citation: Njw0rm) (Citation: Trend Micro njRAT 2018) System Information Discovery, Credentials from Web Browsers, Application Window Discovery, Ingress Tool Transfer, File and Directory Discovery, Query Registry, Peripheral Device Discovery, Video Capture, Screen Capture, Native API, Remote System Discovery, File Deletion, PowerShell, Disable or Modify System Firewall, Encrypted/Encoded File, Standard Encoding, Compile After Delivery, Non-Standard Port, Replication Through Removable Media, System Owner/User Discovery, Registry Run Keys / Startup Folder, Remote Desktop Protocol, Uncommonly Used Port, Custom Command and Control Protocol, Keylogging, Web Protocols, Clear Persistence, Modify Registry, Exfiltration Over C2 Channel, Process Discovery, Fast Flux DNS, Indicator Removal, Windows Command Shell, Data from Local System

References

  1. Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.