FireEye published a report today on ‘Operation Saffron Rose’ documenting cyber espionage activity conducted by the Ajax Security Team, a hacking group believed to be based in Iran. The group was previously known for web defacement, but apparently they’ve moved on to malware-based spying.
The techniques used to install the malware and/or acquire credentials include spear phishing using email for a fake IEEE conference and phony web sites that mimic legitimate credential requests, such as Outlook Web Access. The group also distributed anti-censorship software with malware, targeting Iranian dissidents.
The goal of the attack is to load ‘Stealer’ malware onto systems to exfiltrate a range of data via FTP.
It’s interesting how different illegal hacking groups are using similar lures to perform targeted attacks. Two years ago we documented a campaign from the Chinese group Sykipot that was using the same aerospace conference as a lure (http://www.alienvault.com/open-threat-exchange/blog/sykipot-is-back). The domain name Sykipot used was aeroconf13[.]org. The Ajax Security Team used the domain name aeroconf2014[.]org to use the same conference as a lure. A bit lazy – another example of hackers caring about ROI?
AlienVault Unified Security Management™ (USM) and OSSIM have had an Intrusion Detection System signature that detects the data exfiltration performed by this payload since 2011. Our customers have the ability to detect the exfiltration of data with this signature:
2013346 - TROJAN Unknown Trojan File Stealer FTP File Upload
In addition, AlienVault Labs is going to push a correlation rule to AlienVault USM to generate an alarm that specifically identifies the behavior associated with this threat shortly:
System Compromise, Targeted Malware, Iranian Ajax Security Team Data Exfiltration
Dark Reading published a story quoting Jaime Blasco, our AlienVault Labs Director, on the threat:
Anatomy Of The New Iranian APT
Former Iranian hacktivist operation evolves into cyber espionage with 'Operation Saffron Rose.'