Pulse Detail — Threat Intelligence

PULSE NAME

Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations

WHITE AlienVault 2022-08-05 Modified: 2022-08-05

IOCs

HIGH VOLUME

↓ CSV ↓ JSON

Researchers identified the ROADSWEEP ransomware family and a Telegram persona which targeted the Albanian government in a politically motivated disruptive operation ahead of an Iranian opposition organization’s conference in late July 2022.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1059 T1553 T1560 T1574 T1547 T1053 T1127 T1561 T1140 T1490 T1106 T1566 T1573 T1056 T1007 T1012 T1027 T1033 T1055 T1057 T1070 T1082 T1083 T1087 T1112 T1113 T1134 T1489 T1497 T1518 T1543 T1569

MALWARE FAMILIES

ROADSWEEP CHIMNEYSWEEP

Indicators of Compromise (9 / 51 total)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL YARA domain

TYPE	INDICATOR	DESCRIPTION	CREATED
URL	http://avira.ltd/cm.php	—	2022-08-05
URL	http://cloud-avira.com/cm.php	—	2022-08-05
URL	http://server-avira.com/cm.php	—	2022-08-05
URL	http://skype.se.net/cm.php	—	2022-08-05
URL	http://telegram-update.com/cm.php	—	2022-08-05
URL	http://uk2privat.com/cm.php	—	2022-08-05
URL	http://update-pgp.com/cm.php	7d04f7431bbfa41a04bcc7e6b98b9de0d919756c4c671c5785c99fff45f16402	2022-08-05
URL	http://update-real.com/cm.php	—	2022-08-05
URL	http://windowsupadates.com/cm.php	—	2022-08-05

References (1)

↗ https://www.mandiant.com/resources/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against