Pulse Detail — Threat Intelligence

PULSE NAME

Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations

WHITE AlienVault 2022-08-05 Modified: 2022-08-05

IOCs

HIGH VOLUME

↓ CSV ↓ JSON

Researchers identified the ROADSWEEP ransomware family and a Telegram persona which targeted the Albanian government in a politically motivated disruptive operation ahead of an Iranian opposition organization’s conference in late July 2022.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1059 T1553 T1560 T1574 T1547 T1053 T1127 T1561 T1140 T1490 T1106 T1566 T1573 T1056 T1007 T1012 T1027 T1033 T1055 T1057 T1070 T1082 T1083 T1087 T1112 T1113 T1134 T1489 T1497 T1518 T1543 T1569

MALWARE FAMILIES

ROADSWEEP CHIMNEYSWEEP

Indicators of Compromise (51)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL YARA domain

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	19068e8228b6b8f5528489fa70779b2b	—	2022-08-05
FileHash-MD5	23643b7bd48a200889a4613a0e0a86e4	—	2022-08-05
FileHash-MD5	3633b3d69060a5882656b69f81655f0a	—	2022-08-05
FileHash-MD5	38e0fa41e9519d4783766992c203e794	—	2022-08-05
FileHash-MD5	3a1033cb1eb06c2cd5e91c539cf8a519	—	2022-08-05
FileHash-MD5	44d1c75815724523a58b566d95378825	—	2022-08-05
FileHash-MD5	49d72f9212d5653f5be9f764d8c9df24	—	2022-08-05
FileHash-MD5	5cc183702fae8cc23a55037c1efab5e5	—	2022-08-05
FileHash-MD5	779940f675ff4ab4e8cab7a1b7cf5d3c	—	2022-08-05
FileHash-MD5	77a369e5e49e7e62d8eef2c00cd02950	—	2022-08-05
FileHash-MD5	7a77c2930f0457ed2dd622e9739c7d3d	—	2022-08-05
FileHash-MD5	7b71764236f244ae971742ee1bc6b098	—	2022-08-05
FileHash-MD5	7f6db4493c6a76eb44534306291ea85f	—	2022-08-05
FileHash-MD5	8c8bbe3a4a23cd4cc96c12af5fb1199b	—	2022-08-05
FileHash-MD5	92c61e3047297136701c25deb658b35a	—	2022-08-05
FileHash-MD5	9c09d147dfbc98d5e6e051fe1ed0033d	—	2022-08-05
FileHash-MD5	bbe983dba3bf319621b447618548b740	—	2022-08-05
FileHash-MD5	df9ab47726001883b5fcf58b56b34b41	—	2022-08-05
FileHash-MD5	f3c977830bf616b9061d7aee5ce0b2f2	—	2022-08-05
FileHash-SHA1	5c31d1f89e55b88ee964cd0a951204ec751afb3b	SHA1 of 92c61e3047297136701c25deb658b35a	2022-08-05
FileHash-SHA1	5d117d8ef075f3f8ed1d4edcc0771a2a0886a376	SHA1 of bbe983dba3bf319621b447618548b740	2022-08-05
FileHash-SHA1	9b020dd3a60a60613d9d4a42408d317cc3cda4b3	SHA1 of 77a369e5e49e7e62d8eef2c00cd02950 SHA1 of 77a369e5e49e7e62d8eef2c00cd02950	2022-08-05
FileHash-SHA1	f1f28bb361734bff3ca5715cc2b8dca54f0e2595	SHA1 of 49d72f9212d5653f5be9f764d8c9df24	2022-08-05
FileHash-SHA1	f22a7ec80fbfdc4d8ed796119c76bfac01e0a908	SHA1 of 7b71764236f244ae971742ee1bc6b098	2022-08-05
FileHash-SHA256	29e9fd62b86cb3ba6a5e0bd0189ef2567538f8a8d925effdeac6487a72556b54	SHA256 of 49d72f9212d5653f5be9f764d8c9df24	2022-08-05
FileHash-SHA256	3d0d93f651ee7b407024e5ad51b4e79408b72fb77bfd71cddeac8be3642439d7	SHA256 of 77a369e5e49e7e62d8eef2c00cd02950 SHA256 of 77a369e5e49e7e62d8eef2c00cd02950	2022-08-05
FileHash-SHA256	88b013c5fbd2751fbd9f2184a8892c71ffca69843e7de53e826c6bd658ae8d72	SHA256 of 92c61e3047297136701c25deb658b35a	2022-08-05
FileHash-SHA256	e1204ebbd8f15dbf5f2e41dddc5337e3182fc4daf75b05acc948b8b965480ca0	SHA256 of 7b71764236f244ae971742ee1bc6b098	2022-08-05
FileHash-SHA256	f116acc6508843f59e59fb5a8d643370dce82f492a217764521f46a856cc4cb5	SHA256 of bbe983dba3bf319621b447618548b740	2022-08-05
URL	http://avira.ltd/cm.php	—	2022-08-05
URL	http://cloud-avira.com/cm.php	—	2022-08-05
URL	http://server-avira.com/cm.php	—	2022-08-05
URL	http://skype.se.net/cm.php	—	2022-08-05
URL	http://telegram-update.com/cm.php	—	2022-08-05
URL	http://uk2privat.com/cm.php	—	2022-08-05
URL	http://update-pgp.com/cm.php	7d04f7431bbfa41a04bcc7e6b98b9de0d919756c4c671c5785c99fff45f16402	2022-08-05
URL	http://update-real.com/cm.php	—	2022-08-05
URL	http://windowsupadates.com/cm.php	—	2022-08-05
YARA	6d47541cf740a63ee905bad775acb7c83b0f0370	Identifies code sequences in ZEROCLEAR	2022-08-05
YARA	6f43ef70dd53ad5b241c26c32aeb4c7bb95098d3	Detects strings found in CHIMNEYSWEEP	2022-08-05
YARA	9a24bf79f5ed726c37a5a45150a813f4aa36bd98	Identifies the encryption key used within ROADSWEEP	2022-08-05
YARA	ce7009366563991ec70afd5e20071b93527478c2	Detects encrypted data found in CHIMNEYSWEEP	2022-08-05
domain	avira.ltd	—	2022-08-05
domain	cloud-avira.com	—	2022-08-05
domain	homelandjustice.ru	—	2022-08-05
domain	server-avira.com	—	2022-08-05
domain	telegram-update.com	—	2022-08-05
domain	uk2privat.com	—	2022-08-05
domain	update-pgp.com	—	2022-08-05
domain	update-real.com	—	2022-08-05
domain	windowsupadates.com	—	2022-08-05

References (1)

↗ https://www.mandiant.com/resources/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against