{ "id": "e7bf13e9-d440-4df8-962a-c5cc75f40913", "created_at": "2026-04-06T00:15:47.5745Z", "updated_at": "2026-04-10T03:32:21.353943Z", "deleted_at": null, "sha1_hash": "34d520633f596351943711deccaf4739445b815e", "title": "ROADSWEEP Ransomware Targets the Albanian Government", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1262175, "plain_text": "ROADSWEEP Ransomware Targets the Albanian Government\r\nBy Mandiant\r\nPublished: 2022-08-04 · Archived: 2026-04-05 18:47:08 UTC\r\nWritten by: Luke Jenkins, Emiel Haeghebaert, Alice Revelli, Ben Read\r\nExecutive Summary\r\nMandiant identified the ROADSWEEP ransomware family and a Telegram persona which targeted the Albanian\r\ngovernment in a politically motivated disruptive operation ahead of an Iranian opposition organization’s conference\r\nin late July 2022.\r\nA previously unknown backdoor CHIMNEYSWEEP and a new variant of the ZEROCLEAR wiper may also have\r\nbeen involved.\r\nCHIMNEYSWEEP malware distribution data and decoy content, the operation’s timing and politically themed\r\ncontent, and the possible involvement of the ZEROCLEAR wiper indicate an Iranian threat actor is likely\r\nresponsible.\r\nThis activity is a geographic expansion of Iranian disruptive cyber operations, conducted against a NATO member\r\nstate. It may indicate an increased tolerance of risk when employing disruptive tools against countries perceived to\r\nbe working against Iranian interests.\r\nPlease see the Technical Annex for relevant Yara rules and MITRE ATT\u0026CK Techniques(T1007, T1012, T1027,\r\nT1033, T1055, T1057, T1070.004, T1070.006, T1082, T1083, T1087, T1112, T1113, T1134, T1489, T1497.001,\r\nT1518, T1543.003, T1569.002, and T1622). \r\nThreat Detail\r\nIn mid-July 2022, Mandiant identified a new ransomware family dubbed ROADSWEEP which drops a politically themed\r\nransom note suggesting it targeted the Albanian government. In addition, a front named “HomeLand Justice” claimed\r\ncredit for the disruptive activity that affected Albanian government websites and citizen services on July 18, 2022. The\r\n“HomeLand Justice” front posted a video of the ransomware being executed on its website and Telegram channel\r\nalongside alleged Albanian government documents and residence permits of ostensible members of the Mujahedeen-e-Khalq/People’s Mojahedin Organization of Iran (MEK, also known as MKO or PMOI), an Iranian opposition organization\r\nthat was formerly designated as a terrorist group by the U.S. Department of State.\r\nOn July 18, 2022, the Albanian government published a statement announcing it had to “temporarily close access\r\nto online public services and other government websites” due to disruptive cyber activity.\r\nOn July 22, 2022, a ROADSWEEP ransomware sample was submitted to a public malware repository from\r\nAlbania. Upon successful execution, this ROADSWEEP sample drops a ransom note including the text “Why\r\nshould our taxes be spent on the benefit of DURRES terrorists?” (Figure 1). Durrës is a port city and the second\r\nmost populous city in Albania.\r\nhttps://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against\r\nPage 1 of 21\n\nFigure 1: ROADSWEEP ransom note\r\nOn July 21, 2022, a front named “HomeLand Justice” leveraged the website “homelandjustice.ru” to start publishing\r\nostensible news stories on the ransomware operation against the Albanian government along with a link to a Telegram\r\nchannel named “HomeLand Justice.” The website, which implies that it is run by Albanian citizens, claimed credit for the\r\nransomware activity with a video of “wiper activity,” and posted documents ostensibly internal to the Albanian\r\ngovernment along with what it claimed to be Albanian residence permits of MEK members.\r\nThe website “homelandjustice[.]ru” and the Telegram channel both use a banner that appears identical to the\r\nwallpaper used by ROADSWEEP and contains the same politically themed language as the ransom note above\r\n(Figure 2). The platforms also posted a video of an alleged wiper executed on a host using this banner.\r\nFigure 2: ROADSWEEP wallpaper and HomeLand Justice banner\r\nhttps://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against\r\nPage 2 of 21\n\nAfter posting multiple links to news stories on the disruptive activity against the Albanian government on July 26,\r\n2022, HomeLand Justice directly claimed credit for the operation on its Telegram channel in a message alleging\r\ncorruption in the Albanian government and repeating the message from the ransom note (Figure 3). Notably, the\r\nposts used the hashtags #MKO, #ISIS, #Manez, and #HomeLandJustice. Manëz is a town in the Durrës County and\r\nthe location for the World Summit of Free Iran conference which was set to take place on July 23-24.\r\nFigure 3: HomeLand Justice claims credit\r\nBoth the homelandjustice.ru website and the Telegram channel posted documents ostensibly belonging to Albanian\r\ngovernment organizations along with what appear to be residence permits, marriage certificates, passports, and\r\nother personal documents belonging to alleged members of the MEK.\r\nCHIMNEYSWEEP Backdoor Likely Targets Iranian Diaspora and Dissidents\r\nMandiant further identified CHIMNEYSWEEP, a backdoor that uses either Telegram or actor-owned infrastructure for\r\ncommand-and-control and is capable of taking screenshots, listing and collecting files, spawning a reverse shell, and\r\nsupports keylogging functionality. CHIMNEYSWEEP shares code with ROADSWEEP and based on observed decoy\r\ncontent has likely been used to target Farsi and Arabic speakers as far back as 2012.\r\nCHIMNEYSWEEP and ROADSWEEP share multiple code overlaps, including identical dynamic API resolution\r\ncode. The shared code includes an embedded RC4 key to decrypt Windows API function strings at run time, which\r\nare resolved using LoadLibrary and GetProcAddress calls once decrypted. Both capabilities also share the same\r\nBase64 custom alphabet, one used to encode the decryption key, the other for command and control.\r\nBoth CHIMNEYSWEEP and ROADSWEEP use the RC4 key “8c e4 b1 6b 22 b5 88 94 aa 86 c4 21 e8 75\r\n9d f3” and the custom Base64 alphabet “wxyz0123456789.-\r\nJKLMNOPghijklmnopqrstuvQRSTUVWXYZabcdefABCDEFGHI”.\r\nCHIMNEYSWEEP is dropped by a self-extracting archive signed with a valid digital certificate alongside either an\r\nExcel, Word, or video file which are likely used as benign decoy documents. However, these documents do not\r\nappear to be automatically opened when CHIMNEYSWEEP is executed. \r\nThe decoy documents have included Arabic-language lists of names, ostensibly of individuals in Lebanon,\r\nand a figure of Massoud Rajavi, the former leader of the Mujahedeen-e-Khalq (MEK), an Iranian opposition\r\ngroup (Figure 2).\r\nhttps://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against\r\nPage 3 of 21\n\nWe identified iterations of CHIMNEYSWEEP used as early as 2012.\r\nFigure 4: Image of Massoud Rajavi in a Word document used as decoy content alongside CHIMNEYSWEEP in August\r\n2021\r\nZEROCLEAR\r\nOn July 19, 2022, one day after the Albanian government announcement of the disruptive activity, an Albanian user\r\nsubmitted a ZEROCLEAR wiper payload to a public malware repository. The ZEROCLEAR payload takes in command\r\nline arguments from the operator and results in corruption of the file system using the RawDisk driver.\r\nWhile we are unable to independently prove or disprove whether the ZEROCLEAR sample was used in this or any\r\ndisruptive operation, the malware has previously been publicly reported to have links to Iran-nexus threat actors deploying\r\nit in support of disruptive activity in the Middle East as recently as 2020.\r\nAttribution\r\nMandiant does not have evidence linking this activity to a named threat actor but assesses with moderate confidence that\r\none or multiple threat actors who have operated in support of Iranian goals are involved. This is based on the timing of the\r\ndisruptive activity, the MEK-focused content of the HomeLand Justice persona’s Telegram channel, and the long history\r\nof CHIMNEYSWEEP malware targeting Farsi and Arabic speakers.\r\nThe city of Manëz, Durrës County, which were mentioned in the ROADSWEEP ransom note and on the\r\nHomeLand Justice Telegram channel, was set to host a conference “The World Summit of Free Iran” on July 23-\r\n24, 2022. Albanian media announced that on July 22 that the conference had been postponed due to a “terrorist\r\nattack threat.”\r\nThe World Summit of Free Iran is a conference convening entities opposed to the government of Iran, specifically\r\nmembers of the MEK, in Manëz, Durrës County, Albania.\r\nhttps://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against\r\nPage 4 of 21\n\nIranian and pro-Iran information operations have frequently targeted the MEK with antagonistic messaging,\r\nincluding that leveraging fabricated material such as forged documents. For example, the pro-Iran\r\ncampaign Roaming Mayfly has promoted falsified narratives alleging various Western countries’ support for the\r\nMEK.\r\nWe have previously reported on the suspected Iran-nexus ZEROCLEAR and DUSTMAN wipers, which have\r\nreportedly targeted entities in Bahrain and Saudi Arabia.\r\nHowever, we do note that the ransomware attack is significantly more complex than prior CHIMNEYSWEEP operations,\r\nwhich raises the possibility of a cross-team collaboration or other scenarios that we lack insight into at this time. We are\r\ncontinuing to investigate this cluster and will provide updates as we are able.\r\nOutlook and Implications\r\nMandiant has frequently reported on Iranian threat activity targeting Iranian dissidents and opposition groups abroad by\r\ncyber espionage groups such as UNC788 and malware such as SCRAPWOOD, publicly known as MarkiRAT.\r\nAdditionally, numerous recent lock-and-leak operations by suspected Iran-nexus personas such as Black\r\nShadow and Moses Staff have involved disruptive activity against primarily Israeli organizations in an attempt to\r\nembarrass them.\r\nThe use of ransomware to conduct a politically motivated disruptive operation against the government websites and\r\ncitizen services of a NATO member state in the same week an Iranian opposition groups’ conference was set to take place\r\nwould be a notably brazen operation by Iran-nexus threat actors. As negotiations surrounding the Iran nuclear deal\r\ncontinue to stall, this activity indicates Iran may feel less restraint in conducting cyber network attack operations going\r\nforward. This activity is also a geographic expansion of Iranian disruptive cyber operations, conducted against a NATO\r\nmember state. It may indicate an increased tolerance of risk when employing disruptive tools against countries perceived\r\nto be working against Iranian interests.\r\nTechnical Annex A: ROADSWEEP Ransomware\r\nROADSWEEP is a newly discovered ransomware tool, which upon execution will enumerate files on the device and\r\nencrypts the content in blocks using RC4. Window API names, malware configuration parameters, and the basis of a\r\nransomware note are RC4 encrypted within ROADSWEEP. During execution, ROADSWEEP will decrypt these\r\nencrypted strings and dynamically resolve necessary imports.\r\nGoXml.exe (MD5: bbe983dba3bf319621b447618548b740)\r\nROADSWEEP disruptive payload\r\nCompiled on 2016/04/30 17:08:19\r\nROADSWEEP requires four command line arguments to execute correctly, otherwise ROADSWEEP will produce a\r\nmessage box and halt execution. Upon successful execution, ROADSWEEP creates the following global mutex: \r\nabcdefghijklmnoklmnopqrstuvwxyz01234567890abcdefghijklmnopqrstuvwxyz01234567890\r\nFollowing initialization, ROADSWEEP will begin resolving the necessary APIs using the Windows GetProcAddress API.\r\nThe function names are encrypted using RC4 with the hardcoded key \"8c e4 b1 6b 22 b5 88 94 aa 86 c4 21 e8 75 9d f3\".\r\nROADSWEEP contains multiple embedded scripts which are used to either execute additional commands or to remove\r\nitself from the victim’s device. These scripts are never written to disk, instead ROADSWEEP will create a new command\r\nprompt (cmd.exe), then send these commands to the process with a pipe. The scripts are embedded within the binary as\r\nhttps://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against\r\nPage 5 of 21\n\nRC4 encrypted blocks and are decrypted at runtime by the payload. The first script decrypted by ROADSWEEP is\r\nresponsible for disabling settings like SystemRestore and Volume Shadow Copies, along with disabling critical services\r\nand processes.\r\nFigure 5: Embedded script responsible for disabling system settings and processes\r\nROADSWEEP also decrypts the following script, which is used to delete itself after execution:\r\nping 1.1.1.1 -n 1 -w 3000 \u003e Nul \u0026 Del /f /q \"%s\"\r\nNext, ROADSWEEP extracts configuration values that are RC4 encrypted and embedded within the binary itself. The first\r\nis a list of extensions that should be avoided when the encryption occurs:\r\n.exe\r\n.dll\r\n.sys\r\n.lnk\r\n.lck\r\nROADSWEEP also decrypts the filename for the ransomware note, \"How_To_Unlock_MyFiles.txt\" (MD5:\r\n44d1c75815724523a58b566d95378825) and the note itself as shown in Figure 1.\r\nAfter creating the file, the encryption key that is used to encrypt each file is computed. The key is derived through\r\nproducing a random data stream using the algorithm shown in Figure 6, then hashing this value with MD5 and using this\r\nas an RC4 key.\r\nhttps://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against\r\nPage 6 of 21\n\nFigure 6: Key generation algorithm\r\nROADSWEEP then encrypts this key with an embedded RSA public key and proceeds to format the ransomware message\r\nby appending the Base64 encoded and encrypted “recovery key” to the message itself. The Base64 encoding uses a\r\ncustom alphabet of \"wxyz0123456789.-JKLMNOPghijklmnopqrstuvQRSTUVWXYZabcdefABCDEFGHI\".\r\nFigure 7: ROADSWEEP recovery key encryption and ransom note formatting\r\nNext, ROADSWEEP enumerates all logical drives on the victim's device and checks whether the drive is one of the\r\nfollowing:\r\nDRIVE_REMOVABLE\r\nDRIVE_FIXED\r\nDRIVE_REMOTE\r\nDRIVE_CDROM\r\nhttps://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against\r\nPage 7 of 21\n\nFigure 8: Drive selection and wiper thread creation\r\nFor each discovered drive, ROADSWEEP will initialize a new thread which is responsible for encrypting all files within\r\nthat drive. This thread enumerates the file system using the Windows FindFirstFileW and FindNextFileW APIs. For each\r\nroot directory, a ransomware note is created with the content and filename noted above.\r\nFollowing this, ROADSWEEP will check whether the files within the directory match the extracted extension list, if they\r\ndo not the file is encrypted. The encryption process takes place by renaming the file with the “.lck” extension.\r\nROADSWEEP then takes the creation time, last access time, and last write time for the file and stores these internally.\r\nThese values are then used after the wipe to preserve the file times, although the purpose of this is currently unknown.\r\nROADSWEEP will then open the file and compute the size using the GetFileSize API. Then by chunking the file’s content\r\ninto blocks of 0x100000, ROADSWEEP will read in the data, encrypt the chunk using RC4, and then overwrite the file to\r\ndisk. This is completed until the entire file is overwritten.\r\nFollowing this, the aforementioned self-delete script is executed and the process exits.\r\nTechnical Annex B: ZEROCLEAR Variant\r\nWe identified a ZEROCLEAR payload which takes in command line arguments from the operator and results in\r\ncorruption of the file system using the RawDisk driver.\r\ncl.exe (MD5: 7b71764236f244ae971742ee1bc6b098)\r\nZEROCLEAR disruptive payload\r\nCompiled on 2022/07/15 13:26:28\r\nThe first command line argument must be one of the following:\r\n\"wp\" (default) – Wipes the disk using the ElDos driver, this expects the driver to be running for the wiper activity\r\nto occur.\r\n\"in\" – Installs and starts the driver named rwdsk.sys, which is expected to be located in the same directory as\r\nZEROCLEAR.\r\n“un” – Uninstalls the driver named rwdsk and deletes the file on disk.\r\nThe second argument is the drive letter that the operator wants to corrupt, previous variants of ZEROCLEAR only wiped\r\nthe system drive, determined from calling the GetSystemDirectoryW API.\r\nZEROCLEAR then opens a handle to the RawDisk driver by opening a handle to the following:\r\nhttps://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against\r\nPage 8 of 21\n\n\"\\\\?\r\n\\RawDisk3\u003carg2\u003e#B4B615C28CCD059CF8ED1ABF1C71FE03C0354522990AF63ADF3C911E2287A4B906D47D\"\r\nIt then computes the disk size using the Windows IOCTL_DISK_GET_DRIVE_GEOMETRY_EX,\r\nIOCTL_DISK_GET_DRIVE_GEOMETRY and IOCTL_DISK_GET_LENGTH_INFO DeviceIoControl calls. The ElDos\r\ndriver is used to overwrite the data with the value \"0\".\r\nTechnical Annex C: CHIMNEYSWEEP Backdoor\r\nWhile Mandiant was unable to uncover the infection vector for CHIMNEYSWEEP, we note that the dropper has a valid\r\ndigital signature. In addition to dropping the CHIMNEYSWEEP installer, this dropper also contains either an Excel or\r\nWord document or an MP4 video file.\r\nThe dropper is a signed version of a Windows Cabinet self-extracting file, which is signed by the now revoked certificate\r\n\"Atheros Communications Inc.\" As of 2022-07-28, the certificate used in the ROADSWEEP campaign has not been\r\nrevoked. Historically we have seen APT41 also use this signature, although as noted by DUO the password for this\r\ncertificate was widely available. The threat actor’s choice of signing certificate and dropper is likely based on the fact the\r\nlegitimate Atheros certificate was used to distribute legitimate drivers using the legitimate dropper. This indicates the\r\nthreat actors have a high degree of operational security.\r\nUpon execution, the self-extracting tool finds the resource named “Cabinet”, drops it to disk, and then executes a process\r\nnamed unpack.exe. \r\nCHIMNEYSWEEP Samples\r\nUNAVAILABLE (MD5: df9ab47726001883b5fcf58b56b34b41)\r\nCHIMNEYSWEEP backdoor\r\nInstalled by unpack.exe (MD5: 8c8bbe3a4a23cd4cc96c12af5fb1199b)\r\nContained in wextract.exe.mui (MD5: 19068e8228b6b8f5528489fa70779b2b)\r\nCompile time: 2021/07/26 13:39:17\r\nC\u0026C servers:\r\ntelegram-update[.]com\r\navira[.]ltd\r\nwindowsupadates[.]com\r\nAppxProviders.dll (MD5: f3c977830bf616b9061d7aee5ce0b2f2)\r\nCHIMNEYSWEEP backdoor\r\nCompile time: 2021/07/26 13:39:17\r\nC\u0026C servers:\r\ntelegram-update[.]com\r\navira.ltd\r\nwindowsupadates[.]com\r\nAppxProviders.dll (MD5: 7f6db4493c6a76eb44534306291ea85f)\r\nCHIMNEYSWEEP backdoor\r\nCompile time: 2021/07/26 13:39:17\r\nC\u0026C servers:\r\ntelegram-update[.]com\r\navira.ltd\r\nhttps://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against\r\nPage 9 of 21\n\nwindowsupadates[.]com\r\nAppxProviders.dll (MD5: 3a1033cb1eb06c2cd5e91c539cf8a519)\r\nCHIMNEYSWEEP backdoor\r\nCompile time: 2021/07/26 13:39:17\r\nC\u0026C servers: \r\ntelegram-update[.]com\r\navira.ltd\r\nwindowsupadates[.]com\r\nUNAVAILABLE (MD5: 23643b7bd48a200889a4613a0e0a86e4)\r\nCHIMNEYSWEEP backdoor\r\nInstalled by: UNAVAILABLE (MD5: 49d72f9212d5653f5be9f764d8c9df24)\r\nCompile time: 2021/06/11 22:53:53\r\nC\u0026C servers:\r\ntelegram-update[.]com\r\navira.ltd\r\nwindowsupadates[.]com\r\nUNAVAILABLE (MD5: 9c09d147dfbc98d5e6e051fe1ed0033d)\r\nCHIMNEYSWEEP backdoor\r\nInstalled by unpack.exe (MD5: 38e0fa41e9519d4783766992c203e794)\r\nCompile time: 2020/01/25 18:11:10\r\nC\u0026C servers:\r\ntelegram-update[.]com\r\navira.ltd\r\nwindowsupadates[.]com\r\nUNAVAILABLE (MD5: 5cc183702fae8cc23a55037c1efab5e5)\r\nCHIMNEYSWEEP backdoor\r\nInstalled by UNAVAILABLE (MD5: 92c61e3047297136701c25deb658b35a)\r\nCompile time: 2020/09/21 11:44:32\r\nC\u0026C servers:\r\ntelegram-update[.]com\r\navira.ltd\r\nwindowsupadates[.]com\r\nssv.dll (MD5: 77a369e5e49e7e62d8eef2c00cd02950)\r\nCHIMNEYSWEEP backdoor\r\nCompile time: 2018/10/08 17:28:39\r\nC\u0026C servers:\r\ncloud-avira[.]com\r\npgp.eu[.]com\r\nserver-avira[.]com\r\nskype.se[.]net\r\nuk2privat[.]com\r\nupdate-pgp[.]com\r\nExecution \r\nhttps://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against\r\nPage 10 of 21\n\nAfter being dropped by the dropper, the installer is executed. The installer, some of which are padded with null bytes\r\n(0x00) to inflate their size, is responsible for deploying an embedded executable to disk and then executing the backdoor\r\nitself. The installer initially drops the payload as “m.d” in the covert store (\"C:\\ProgramData\\Microsoft\r\nInstaller{EA2C6B24-C590-457B-BAC8-4A0F9B13B5B8}\\Force\"). Some of the installers forge the dropped file’s\r\nCreationTime, LastAccessTime, and LastWrite time from C:\\Windows\\System32\\smss.exe\r\nThe installer then executes the “Alloc” export which checks whether the device is currently running DeepFreeze by\r\nFaronics, although this is not applicable for the samples analysed by Mandiant. If the process name contains “creensaver.”,\r\nthe backdoor will write the image to %SYSTEM32%\\Slui and then execute a task named \"\\\\Microsoft\\\\Windows\\\\License\r\nManager\\\\LicenseExchange\\\". Alloc ultimately calls the Control_Provider export, which will initiate the backdoor.\r\nThe main functionality is provided in the next export called by the installer, “RatingSetupUI”. This export is responsible\r\nfor all the command-and-control (C\u0026C) interactions and backdoor capabilities.\r\nThe last two exports are related to the update process. “Control_Provider” manages the update process whereas\r\n“Telephon” executes the “Control_Provider” function. \r\nIf the backdoor is not running as an administrator, the backdoor may use embedded payloads to escalate privileges. A\r\nmutex named “rerunadmn” is used internally by the backdoor and the two RC4 encrypted payloads are extracted. The first\r\npayload is a .NET loader, which loads the second payload and calls the type \"vjp5ZPP9AidVjXxofy\" and method\r\n\"s7tajdxvX”.  The loader (MD5: 779940f675ff4ab4e8cab7a1b7cf5d3c) will first enumerate the loaded .NET modules\r\nlooking for the above class and methods. If they exist, it will execute that module. If the module is not loaded, the\r\nassembly is loaded and then executed in memory. The backdoor will then pass through the string “AD” if the payload is\r\nalready executing as Administrator or the path to a temporary file on disk, directly to the loaded .net module. This\r\ntemporary file is created by writing the content of the Software\\AppDataLoad\\GLX\\aex and writing the content to the\r\nWindows %TEMP% directory with the name APPX.\u003crandom_values\u003e.tmp. This file is a copy of the backdoor itself. If\r\nthe payload can’t resolve the export CP from the loader, it reverts to invoking PowerShell with the following command,\r\npassing in the path to the second payload, the type and method and either AD or the path to the second module:\r\n            [Reflection.Assembly]::LoadFile(\\\"%s\\\")\\n$i=\\\"\\\"\\n$r=[%s]::%s(\\\"%s\\\",[ref] $i)\\necho $r,$i\\n\r\nExecution will then proceed within the second payload (MD5: 3633b3d69060a5882656b69f81655f0a), responsible for\r\nensuring that the payload is running with administrator privileges. This payload is obfuscated by reactor and contains\r\nencrypted strings used throughout the execution. Upon execution, the payload will create the mutex “rerunadmn” and\r\n“subttoadmn”. The module utilises the following techniques to execute the payload as administrator:\r\n1. Makes use of the Windows “SilentCleanup” scheduled task. This task executes the executable running in\r\n%windir%\\system32\\cleanmgr.exe, and the payload uses the Windows Registry Environment key to change the\r\n%windir% variable to point to c:\\Windows. Next, the payload creates a new System32 folder and copies an\r\nembedded payload called cleanmgr.exe (MD5: 779940f675ff4ab4e8cab7a1b7cf5d3c) into this folder , alongside a\r\n.cfg file with the content “slc”. Following this, the task is executed. This technique is similar to a technique\r\nwithin Metasploit called bypassuac_silentcleanup.\r\n2. Makes use of the windows CMSTP.exe binary to install a malicious Microsoft Connection Manager Profile on the\r\ndevice. This technique drops cln.vbs to the c:\\windows\\temp folder (MD5: 7a77c2930f0457ed2dd622e9739c7d3d),\r\nthen creates a .ini file for the Ethernet service. Within this ini file, the payload contains two\r\nRunPreSetupCommandsSection values, one for the payload itself, and the second for executing the cln.vbs script.\r\nThe legitimate cmstp.exe will then be executed on the host which executes the backdoor and then the clean-up\r\nscript. This technique is identical to a technique made public in 2017 by Oddvar Moe.\r\nhttps://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against\r\nPage 11 of 21\n\nCHIMNEYSWEEP has the following major functionality: \r\nScreenshot collection: Takes screenshots of the compromised device on a timer and stores to disk or can be tasked\r\nto take a screenshot and upload. \r\nFile collection and listing: Monitors for new removable drives and performs directory listing on demand,\r\nenumerates directories for files that match a set list, and can be tasked to upload a file to the command-and-control\r\nserver. \r\nKeylogging: Monitors the content of the clipboard and performs key logging to disk. \r\nReverse shell: Contains a reverse shell which can be utilised by the attacker. \r\nInitial configuration format \r\nThe backdoor contains settings that are found either encrypted within the payload or stored in the registry\r\n(Software\\AppDataLow\\GLX\\Setting). The values stored in the registry will be provided from the update mechanism. The\r\nconfiguration is split using the tags {BEGIN} and \u0026{END}, and each value within the settings are referenced by an\r\ninteger. For extracting the C\u0026C values, the parser stores a reference to values 30-39 where each reference can be a\r\ndifferent C\u0026C and URI in order. \r\nFigure 9: Example C\u0026C configuration\r\nBased on our analysis we assess that the IDs correspond to the following settings:\r\nId  Purpose \r\n1  Perform file collection \r\n2  Perform directory listing of new drives \r\n3  Perform key logging \r\n4  Monitor clipboard data \r\n5  Boolean value as to whether the actor should take screenshots \r\n6  The timeout value between each screenshot \r\n7  Default JPEG quality for BMP2JPGpourVBFrance export \r\nhttps://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against\r\nPage 12 of 21\n\n8  Execute system information command \r\n9-29  Missing \r\n30-39  C\u0026C information \r\n40  File collection config \r\nTable 1: Configuration keys\r\nNetwork communications and commands \r\nDuring the initialisation of CHIMNEYSWEEP, a thread is created which makes HTTP GET requests\r\nto https://api.telegram.org/\u003crandom_value\u003e. The response is checked for the string \"{\"ok\":false,\" and if that string is\r\npresent, the threat actor attempts to use Telegram for C\u0026C communications. \r\nThe threat actor used the following Telegram bots:\r\nURI Path \r\nbot\r\nusername \r\nbot real\r\nname \r\nchannel id \r\nbot661217919:AAG9PrAybrKF5y8HxMA14THNZtWXw5Sv4w  net21007bot  net21007  -1001262963819\r\nbot692407219:AAFlfj9N3gx7vCJlsFi3Ej0qzZgpL8CNmj0  net11007bot  net11007  -1001188059110 \r\nTable 2: Telegram channels by actor\r\nThese Telegram channels appear to have been in use by the threat actor for a significant period and have messages in the\r\nhundreds of thousands which relate to individual tasks. The backdoor uses Telegram’s GetUpdates API endpoint, which\r\nreturns a list of messages for the bot. The backdoor then parses this data to execute specific commands, download\r\nadditional payloads, or to create a reverse shell. Data sent and received by the Telegram channel are encoded using Base64\r\nand the same alphabet as ROADSWEEP. \r\nWithin the context of Telegram, CHIMNEYSWEEP uses a unique identifier for the victim based on the computer name\r\nand username prepended by TL. This ID is used for filtering commands for the specific device: \r\n                                                                                         TL_\u003ccomputer_name\u003e-\u003cuser_name\u003e \r\nFollowing the victim identifier, the backdoor uses the string 1 to indicate a task for the update process and 2 to indicate a\r\ncommand to execute on the host.\r\nIf Telegram is not available, the threat actor communicates to threat actor-owned infrastructure. This infrastructure is\r\nembedded within the payload and may include one or multiple of the following: \r\nhttp://skype.se.net/cm.php \r\nhttp://update-real.com/cm.php \r\nhttp://windowsupadates.com/cm.php \r\nhttp://update-pgp.com/cm.php \r\nhttp://uk2privat.com/cm.php \r\nhttp://server-avira.com/cm.php \r\nhttps://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against\r\nPage 13 of 21\n\nhttp://pgp.eu.com/cm.php \r\nhttp://cloud-avira.com/cm.php \r\nhttp://telegram-update.com/cm.php \r\nhttp://avira.ltd/cm.php \r\nThe C\u0026C communication protocol consists of several HTTP requests to the server using the argument “do” to specify the\r\ncommand id and “arg” to transfer associated data. Communication to these servers is done with a specific User-Agent,\r\nwhich includes the victim's computer name and username in the following format: \r\n\u003cstatus_code\u003e:---:\u003cComputer_Name\u003e-\u003cUser_Name\u003e:---:init:---:www:---:MNEW \r\nUpon initialization, the backdoor will create two networking threads, one for managing updates and the second for\r\nmanaging tasking:\r\nCommand\r\nId \r\nPurpose  Response \r\n \r\nStart the\r\nplugin update\r\nprocess \r\nUpdates settings within the backdoor like the current C\u0026C for this communication\r\nchannel or the settings in the registry \r\n2 \r\nUpdate the\r\ncore backdoor \r\nRC4 encrypted executable, which is written to the disk, time stomped to be between\r\n2010-2021, then executed. The backdoor uses the mutex \"runupdate\" before\r\nexecuting the executable, then after the process returns, will check for the mutex\r\n\"runupdateok\". If this mutex exists, the backdoor instance who requested the update\r\nis terminated. \r\n20 \r\nDownload and\r\nexecute a file \r\nRC4 encrypted data which is written to disk, then executed. \r\n22-28 \r\nDownload\r\nadditional\r\nplugins \r\nRC4 encrypted data which will be written to registry values. The purpose of these\r\nplugins is not fully understood, although Mandiant were able to ascertain that\r\n\"p22jpd\" is used for the screenshot converter. \r\nTable 3: Update communications\r\nUpdate process  \r\nCHIMNEYSWEEP can update itself by downloading an executable. Mandiant was unable to obtain a copy of this updater.\r\nHowever, this update mechanism likely executes the Control_Provider export. This export establishes a number of\r\nmutexes including: runupdateok, baserun, heyirunadmn and corerun. The updater logic first creates the mutex runupdate,\r\nthat is checked by the Control_Provider, then waits for the runupdateok mutex before killing itself. \r\nTasking communications \r\nA second thread is started to handle incoming tasking from either the C\u0026C server or Telegram. The command effectively\r\nworks by downloading a request from the server, then parsing this request into a format that is then parsed by\r\nCHIMNEYSWEEP. Payloads are delivered either using the custom Base64 algorithm for Telegram, or in plain text for the\r\nstandard C\u0026C server.\r\nhttps://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against\r\nPage 14 of 21\n\nMandiant was unable to identify each individual field used and believe these may be reserved for future, or used with\r\nhistoric iterations of the backdoor. \r\nCommands are made up of 12 distinct arguments encased in square braces. As shown in Figure 10:\r\nFigure 10: Tasking command structure\r\n The backdoor checks for the existence of the \"[Z]\", and that the string ends with a \"]\". The arguments are then passed\r\nback to the main C\u0026C loop. The timeout is the value in seconds that is slept prior to executing any command on the\r\nsystem. \r\nFigure 11: CHIMNEYSWEEP command parsing\r\nThe following commands are supported in variants analysed by Mandiant: \r\nCommand\r\nId \r\nPurpose  Response \r\n40  Execute a task on host  See Tasking \r\nhttps://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against\r\nPage 15 of 21\n\n41  Upload a screenshot  Uploads a sc \r\n200 \r\nUpdate screenshot settings\r\nand upload a screenshot \r\nTakes a screenshot using either the b.j file from the covert store or\r\nthe Windows APIs, store the screenshot on disk then upload to the\r\nC2. \r\nTable 4: Tasking communication task list\r\nTasking \r\nCHIMNEYSWEEP enables two distinct routes to execute commands on the box, a reverse shell and an interactive custom\r\ncommand prompt. In addition to this, the backdoor enables the threat actor to reboot or shutdown the system or logoff the\r\ncurrent user. \r\nCommand  Action \r\n100  Start the custom command prompt \r\n101  Start a reverse shell \r\n102  Shutdown the system using shutdown /s /t 0 /f \r\n103  Reboot the system using shutdown /r /t 0 /f \r\n104  Logoff the current user using shutdown /l /f \r\nTable 5: Command options for local task\r\nFigure 12: Command options\r\n For both shells, the command creates a socket to the address and port in the original packet. For the reverse shell, a\r\ncmd.exe process is started with the pipes set to the socket. A packet is sent to the C\u0026C server to inform it that a shell is\r\nhttps://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against\r\nPage 16 of 21\n\nstarting. This packet consists of the following string \"CSP\u003e\u003ccomputer_identifier\u003e\u003e\", upon termination of the shell by the\r\nuser, the string \"DC\u003e\u003ccomputer_idenitifer\u003e\u003e\" is sent. \r\nThe custom command prompt allows the following commands: \r\nCS - Used to indicate the start of a command session along with the computer_identifier \r\nLD - List drivers \r\nLP - list files in path \r\nLPG - Not implemented \r\nSF - Opens a file, returns the file size \r\nSFG - Opens the file and uploads the content in chunks of 0x400 bytes \r\nRF - Retrieves a file and writes to disk \r\nREN - Rename a file \r\nDEL - Delete a file \r\nDELF - Delete a directory \r\nCRTD - Creates a directory \r\nEXEC - Executes a command on disk \r\nDC - Disconnects the shell \r\nHI - Return \"OOK\u003e\" \r\nScreenshot function  \r\nCHIMNEYSWEEP can be configured to take the screenshots and if the JPEG converter plugin (stored in the p22jpd\r\nregistry value) is present, convert the images to JPEG. The JPEG settings can be configured by the threat actor in the\r\nrequest as discussed above. Screenshots are taken using the Windows APIs and written to disk in the covert store with the\r\nname APPX.%x%x%x%x%x.tmp, where each %x is a random value.\r\nDepending on whether the JPEG plugin exists, CHIMNEYSWEEP will either copy the temporary file into the requested\r\nfile, or using the plugin, convert the bitmap into a JPEG as defined by the command. \r\nThe output value is then either uploaded to Telegram or the C\u0026C server using command 41. Mandiant was able to obtain a\r\nJPEG plugin with the MD5 hash 87574fa34cfbe592d6097b8d36e00313. \r\nhttps://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against\r\nPage 17 of 21\n\nFigure 13: Example C\u0026C tasking to collect a screenshot\r\nSys info commands \r\n@echo off @CHCP 65001 @set t=\"%cd%\\ni\" @set f=\"%cd%\\i1\" @cd %SystemRoot%\\system32 @echo\r\n{{WMIC_AntiVirusProduct}}\u003e%t% @wmic /failfast:on /append:%t% /namespace:\\\\root\\SecurityCenter2 path\r\nAntiVirusProduct get /value @echo {{WMIC_AntiSpywareProduct}}\u003e\u003e%t% @wmic /failfast:on /append:%t%\r\n/namespace:\\\\root\\SecurityCenter2 path AntiSpywareProduct get /value @echo\r\n{{WMIC_FirewallProduct}}\u003e\u003e%t% @wmic /failfast:on /append:%t% /namespace:\\\\root\\SecurityCenter2 path\r\nFirewallProduct get /value @echo {{WMIC_OS}}\u003e\u003e%t% @wmic /failfast:on /append:%t% OS get /value @echo\r\n{{WMIC_TIMEZONE}}\u003e\u003e%t% @wmic /failfast:on /append:%t% TIMEZONE get /value @echo\r\n{{WMIC_LOGON}}\u003e\u003e%t% @wmic /failfast:on /append:%t% LOGON get /value @echo\r\n{{WMIC_DESKTOP}}\u003e\u003e%t% @wmic /failfast:on /append:%t% DESKTOP get /value @echo\r\n{{WMIC_DESKTOPMONITOR}}\u003e\u003e%t% @wmic /failfast:on /append:%t% DESKTOPMONITOR get /value @echo\r\n{{WMIC_BASEBOARD}}\u003e\u003e%t% @wmic /failfast:on /append:%t% BASEBOARD get /value @echo\r\n{{WMIC_BIOS}}\u003e\u003e%t% @wmic /failfast:on /append:%t% BIOS get /value @echo {{WMIC_CPU}}\u003e\u003e%t% @wmic\r\n/failfast:on /append:%t% CPU get /value @echo {{WMIC_SOUNDDEV}}\u003e\u003e%t% @wmic /failfast:on /append:%t%\r\nSOUNDDEV get /value @echo {{WMIC_LOGICALDISK}}\u003e\u003e%t% @wmic /failfast:on /append:%t% LOGICALDISK\r\nget /value @echo {{WMIC_CDROM}}\u003e\u003e%t% @wmic /failfast:on /append:%t% CDROM get /value @echo\r\n{{WMIC_PRINTERCONFIG}}\u003e\u003e%t% @wmic /failfast:on /append:%t% PRINTERCONFIG get /value @echo\r\n{{WMIC_USERACCOUNT}}\u003e\u003e%t% @wmic /failfast:on /append:%t% USERACCOUNT get /value @echo\r\n{{WMIC_SHARE}}\u003e\u003e%t% @wmic /failfast:on /append:%t% SHARE get /value @echo\r\n{{WMIC_STARTUP}}\u003e\u003e%t% @wmic /failfast:on /append:%t% STARTUP get /value @echo\r\n{{WMIC_PROCESS}}\u003e\u003e%t% @wmic /failfast:on /append:%t% PROCESS get /value @echo\r\n{{WMIC_SERVICE}}\u003e\u003e%t% @wmic /failfast:on /append:%t% SERVICE get /value @echo\r\nhttps://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against\r\nPage 18 of 21\n\n{{WMIC_SYSDRIVER}}\u003e\u003e%t% @wmic /failfast:on /append:%t% SYSDRIVER get /value @echo\r\n{{WMIC_PAGEFILE}}\u003e\u003e%t% @wmic /failfast:on /append:%t% PAGEFILE get /value @echo\r\n{{WMIC_PAGEFILE}}\u003e\u003e%t% @wmic /failfast:on /append:%t% PAGEFILE get /value   @echo\r\n{{SYSTEMINFO}}\u003e\u003e%t% @SYSTEMINFO\u003e\u003e%t% @echo {{Reg_Uninstall}}\u003e\u003e%t% @REG QUERY\r\n\"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\"  /s\u003e\u003e%t% @echo\r\n{{Reg_TerminalServerClient}}\u003e\u003e%t% @REG QUERY \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server\r\nClient\\Default\"  /s\u003e\u003e%t% @echo {{BOOTCFG}}\u003e\u003e%t% @BOOTCFG\u003e\u003e%t% @echo\r\n{{IPCONFIG/All}}\u003e\u003e%t% @IPCONFIG /ALL\u003e\u003e%t% @echo {{whoami}}\u003e\u003e%t% @whoami\u003e\u003e%t% @echo {{net user\r\n/domain}}\u003e\u003e%t% @net user /domain\u003e\u003e%t% @echo {{net user}}\u003e\u003e%t% @net user\u003e\u003e%t% @echo {{net user\r\nAdministrator}}\u003e\u003e%t% @net user Administrator\u003e\u003e%t% @echo {{net localgroup administrators}}\u003e\u003e%t% @net\r\nlocalgroup administrators\u003e\u003e%t% @echo {{net group /domain }}\u003e\u003e%t% @net group /domain\u003e\u003e%t% @echo {{net group\r\n\"domain admins\" /domain}}\u003e\u003e%t% @net group \"domain admins\" /domain\u003e\u003e%t% @echo {{net view}}\u003e\u003e%t% @net\r\nview\u003e\u003e%t% @echo {{net use}}\u003e\u003e%t% @net use\u003e\u003e%t% @echo {{net share}}\u003e\u003e%t% @net share\u003e\u003e%t% @echo\r\n{{route print}}\u003e\u003e%t% @route print\u003e\u003e%t% @echo {{net localgroup}}\u003e\u003e%t% @net localgroup\u003e\u003e%t% @echo {{net\r\ngroup \"Exchange Trusted Subsystem\" /domain}}\u003e\u003e%t% @net group \"Exchange Trusted Subsystem\"\r\n/domain\u003e\u003e%t% @echo {{net accounts /domain}}\u003e\u003e%t% @net accounts /domain\u003e\u003e%t% @echo {{net\r\naccounts}}\u003e\u003e%t% @net accounts\u003e\u003e%t% @echo {{netstat -an}}\u003e\u003e%t% @netstat -an\u003e\u003e%t% @echo\r\n{{set}}\u003e\u003e%t% @set\u003e\u003e%t% @echo {{tasklist}}\u003e\u003e%t% @tasklist\u003e\u003e%t% @echo {{dir c:\\ }}\u003e\u003e%t% @dir c:\\\r\n\u003e\u003e%t% @echo {{dir d:\\ }}\u003e\u003e%t% @dir d:\\ \u003e\u003e%t% @echo {{dir e:\\ }}\u003e\u003e%t% @dir e:\\ \u003e\u003e%t% @echo {{dir\r\nf:\\}}\u003e\u003e%t% @dir f:\\\u003e\u003e%t% @echo {{dir g:\\}}\u003e\u003e%t% @dir g:\\\u003e\u003e%t% @echo {{dir Desktop}}\u003e\u003e%t% @dir\r\n%appdata%\\..\\..\\Desktop\u003e\u003e%t% @echo {{dir C:\\Users}}\u003e\u003e%t% @dir C:\\Users\u003e\u003e%t% @echo {{dir \"C:\\Program\r\nFiles\"}}\u003e\u003e%t% @dir \"C:\\Program Files\"\u003e\u003e%t% @echo {{dir \"C:\\Program Files (x86)\"}}\u003e\u003e%t% @dir \"C:\\Program\r\nFiles (x86)\"\u003e\u003e%t% @echo {{dir C:\\ProgramData}}\u003e\u003e%t% @dir C:\\ProgramData\u003e\u003e%t% @echo {{tracert -d -4 -w 1500\r\n8.8.8.8}}\u003e\u003e%t% @tracert -d -4 -w 1500 8.8.8.8\u003e\u003e%t% @echo {{ping 8.8.8.8}}\u003e\u003e%t% @ping 8.8.8.8\u003e\u003e%t% @echo\r\n{{ping gitlab.com}}\u003e\u003e%t% @ping gitlab.com\u003e\u003e%t% @echo {{ping mail.google.com}}\u003e\u003e%t% @ping\r\nmail.google.com\u003e\u003e%t% @echo {{ping google.com}}\u003e\u003e%t% @ping google.com\u003e\u003e%t% @echo {{ping\r\nmf.local}}\u003e\u003e%t% @ping mf.local\u003e\u003e%t% @echo {{DATE-TIME}}\u003e\u003e%t% @date /T\u003e\u003e%t% @time /T\u003e\u003e%t% @echo\r\n{{END}}\u003e\u003e%t% @del /q /f %f% @more\u003c%t%\u003e%f% @del /q /f %t% @exit \r\nMITRE ATT\u0026CK Techniques\r\nID Technique\r\nT1007 System Service Discovery\r\nT1012 Query Registry\r\nT1027 Obfuscated Files or Information\r\nT1033 System Owner/User Discovery\r\nT1055 Process Injection\r\nT1057 Process Discovery\r\nT1070.004 File Deletion\r\nT1070.006 Timestomp\r\nhttps://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against\r\nPage 19 of 21\n\nT1082 System Information Discovery\r\nT1083 File and Directory Discovery\r\nT1087 Account Discovery\r\nT1112 Modify Registry\r\nT1113 Screen Capture\r\nT1134 Access Token Manipulation\r\nT1489 Service Stop\r\nT1497.001 System Checks\r\nT1518 Software Discovery\r\nT1543.003 Windows Service\r\nT1569.002 Service Execution\r\nT1622 Debugger Evasion\r\nYara Rules \r\nrule M_Disrupt_ROADSWEEP_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Identifies the encryption key used within ROADSWEEP\"\r\n strings:\r\n $ = {C6 45 D5 E4 C6 45 D6 B1 C6 45 D7 6B C6 45 D8 22 C6 45 D9 B5 C6 45 DA 88 C6 45 DB 94 C6 45 DC AA C6 45 DD 86\r\n condition:\r\n all of them\r\n}\r\nrule M_Disrupt_ZEROCLEAR_1 {\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Identifies code sequences in ZEROCLEAR\"\r\n strings:\r\n $ = \"B4B615C28CCD059CF8ED1ABF1C71FE03C0354522990AF63ADF3C911E2287A4B906D47D\" wide\r\n $ = \"wp starts!\"\r\n $ = \"un start!\"\r\n $ = \"in start!\"\r\ncondition:\r\n all of them\r\n}\r\nrule M_Backdoor_CHIMNEYSWEEP_1\r\n{\r\n meta:\r\nhttps://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against\r\nPage 20 of 21\n\nauthor = \"Mandiant\"\r\n description = \"Detects strings found in CHIMNEYSWEEP\"\r\n strings:\r\n $ = \"%sAPPX.%x%x%x%x%x.tmp\"\r\n $ = \"rerunadmn\"\r\n $ = \"runupdate\"\r\n $ = \"runupdateok\"\r\n $ = \"baserun\"\r\n $ = \"heyirunadmn\"\r\n $ = \"subttoadmn\"\r\n $ = \"ttrundll\"\r\n $ = \"{\\\"ok\\\":false,\"\r\n $ = \"TL_%s-%s\"\r\n $ = \"|**|Net1NOFILE|**|\"\r\n $ = \"%s:---:%s-%s:---:%s:---:www:---:MNEW\"\r\n condition:\r\n uint16(0) == 0x5A4D and 8 of them\r\n}\r\nimport \"pe\"\r\nrule M_Backdoor_CHIMNEYSWEEP_2\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Detects encrypted data found in CHIMNEYSWEEP\"\r\n strings:\r\n $key = {C6 45 D5 E4 C6 45 D6 B1 C6 45 D7 6B C6 45 D8 22 C6 45 D9 B5 C6 45 DA 88 C6 45 DB 94 C6 45 DC AA C6 45 DD\r\n $encoded_config = {FA c0 c7 e5}\r\n $encoded_bot = {AE E0 ED D6}\r\n condition:\r\n uint16(0) == 0x5A4D and all of them and (pe.exports(\"RatingSetupUI\") or pe.exports(\"A\"))\r\n}\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against\r\nhttps://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against" ], "report_names": [ "likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against" ], "threat_actors": [ { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "7f25e108-e694-49b6-a494-c8458b33eb3f", "created_at": "2024-01-09T02:00:04.199217Z", "updated_at": "2026-04-10T02:00:03.509338Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [], "source_name": "MISPGALAXY:HomeLand Justice", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "b3ebf51d-8f64-48a9-bbfb-674db872cccb", "created_at": "2025-08-07T02:03:24.769383Z", "updated_at": "2026-04-10T02:00:03.860954Z", "deleted_at": null, "main_name": "COBALT MYSTIQUE", "aliases": [ "Banished Kitten ", "DEV-0842 ", "Druidfly ", "Handala Hack Team", "Homeland Justice", "Karmabelow80", "Red Sandstorm ", "Storm-0842 ", "Void Manticore " ], "source_name": "Secureworks:COBALT MYSTIQUE", "tools": [ "AllinOneNeo", "Bibi", "GramPy", "GramPyLoader" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434547, "ts_updated_at": 1775791941, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/34d520633f596351943711deccaf4739445b815e.pdf", "text": "https://archive.orkl.eu/34d520633f596351943711deccaf4739445b815e.txt", "img": "https://archive.orkl.eu/34d520633f596351943711deccaf4739445b815e.jpg" } }