Cleaver
Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. [1] Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). [2]
Associated Group Descriptions
Name | Description |
---|---|
Threat Group 2889 | [2] |
TG-2889 | [2] |
Techniques Used
Domain | ID | Name | Use | |
---|---|---|---|---|
PRE-ATT&CK | T1341 | Build social network persona | ||
PRE-ATT&CK | T1345 | Create custom payloads |
Cleaver has created customized tools and payloads for functions including ARP poisoning, encryption, credential dumping, ASP.NET shells, web backdoors, process enumeration, WMI querying, HTTP and SMB communications, network interface sniffing, and keystroke logging.[1] |
|
PRE-ATT&CK | T1342 | Develop social network persona digital footprint |
Cleaver fake personas included profile photos, details, and network connections.[2] |
|
PRE-ATT&CK | T1313 | Obfuscation or cryptography |
Cleaver has used zhCat to encrypt traffic or use inline obfuscation to make detection more difficult. zhCat makes message traffic look benign.[1] |
|
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
Cleaver has been known to dump credentials using Mimikatz and Windows Credential Editor.[1] |