flaing/.tex

## .tex
\subsection{APT Threats Sponsored by Iranian Government}

Behind the most dangerous APT threats maliciously targeting the general public in democratic societies, there are 24 Iranian threat actors worth attention.

\textbf{Cutting Kitten} Aliases: Cutting Kitten (CrowdStrike),TG-2889 (SecureWorks).
{\footnotesize Tools:CsExt, Jasus, KAgent, Net Crawler, PvcOut, SynFlooder, TinyZBot, WndTest and ZhMimikatz.}


\textbf{DNSpionage} focuses on recon.
{\footnotesize Tools:DNSpionage and Karkoff.}

\textbf{Mabna Institute} Aliases: Mabna Institute (real name), Silent Librarian (SecureWorks)


\textbf{MuddyWater} Aliases: MuddyWater (Palo Alto),
Seedworm (Symantec),
TEMP.Zagros (FireEye),
Static Kitten (CrowdStrike).
{\footnotesize Tools:ChromeCookiesView, chrome-passwords, CLOUDSTATS, CrackMapExec,
DELPHSTATS, EmpireProject, FruityC2, Koadic, LaZagne, Meterpreter, Mimikatz.
MZCookiesView, PowerSploit, POWERSTATS, SHARPSTATS, Shoorback and
Smbmap.}


\textbf{Domestic Kitten} focuses on spyware in mobile.

\textbf{DarkHydrus} Aliases:DarkHydrus (Palo Alto),LazyMeerkat (Kaspersky).
{\footnotesize Tools:Cobalt Strike, Mimikatz, Phishery and RogueRobin}


\textbf{Clever Kitten} Aliases: Clever Kitten (CrowdStrike), Group 41 (Talos)

Tools: Acunetix Web Vulnerability Scanner, PHP Webshell RC SHELL

\textbf{Flying Kitten} Aliases: Flying Kitten (CrowdStrike),Ajax Security Team (FireEye),Group 26 (Talos). {\footnotesize Tools: Sayyad and Stealer.}


\textbf{Group5} {\footnotesize Tools: DroidJack, NanoCore RAT and njRAT}

\textbf{Madi} Aliases: Madi (Kaspersky)
Mahdi (Kaspersky).
{\footnotesize Tools: Madi}


% The Madi attacks qualify as APT, however, because they are also go after industrial designs, meaning there is IP theft, he said. Once on a system, Madi is capable of not only stealing data from infected Windows machines, but also monitoring email and instant messages, recording audio, capturing keystrokes, and taking screenshots of victims' computers. Researchers at Seculert and Kaspersky worked in concert to sinkhole the malware's command and control servers and analyze eight months of the campaign. Their efforts uncovered a targeted attack campaign with more than 800 victims in Iran, Israel, and other countries from around the globe.


\textbf{Cyber fighters of Izz Ad-Din Al Qassam} focuses on DDoS in finance.
% Since September 2012, nearly 50 U.S. financial institutions have been targeted in over 200 distributed denial of service (DDoS) attacks, according to the U.S. Department of Homeland Security. A Middle Eastern hacking collective known as the Izz ad-Din al-Qassam Cyber Fighters has claimed credit for the assaults, and U.S. intelligence officials have repeatedly blamed the attacks on hacker groups backed by the Iranian government.

\textbf{Chafer} Aliases: Chafer (Symantec), APT 39 (Mandiant). {\footnotesize
Tools: ASPXSpy, CACHEMONEY, EternalBlue,HTTPTunnel, MechaFlounder Mimikatz, NBTScan, Non-sucking Service Manager (NSSM), Plink, POWBAT, Pwdump, Remcom, Remexi, SEAWEED, SMB hacking tools, UltraVNC and Windows, Credential Editor.}


\textbf{Cadelle} Tools: ANTAK and Cadelspy.

\textbf{Prince of Persia} Aliases: Infy (Palo Alto),Prince of Persia (Palo Alto),Operation Mermaid (360).
{\footnotesize Tools: Foudre, Infy, Mermaid}


% Some victims infected with Infy versions 15-24 still used the C2 server us1s2[.]strangled[.]net, which remained in the hands of the attacker. In early June the attackers used this C2 to issue instructions to download new Infy “M” version 8.0 from us1s2[.]strangled[.]net/bdc.tmp. This was the first time we had observed an Infy variant being directly updated to Infy “M”. This used camouflage name “Macromedia v4”, changed from “v3” seen in Infy v31. They also removed the voice recording capability in this version.
% https://unit42.paloaltonetworks.com/unit42-prince-of-persia-game-over/
\\
\textbf{Iridium} {\footnotesize Tools:China Chopper, Ckife Webshells, LazyCat and reGeorge.}

\textbf{Leafminer} Aliases:Leafminer (Symantec)
Raspite (Dragos). {\footnotesize Tools:Imecab, LaZagne, PhpSpy and Mimikatz.}


\textbf{Sima} {\footnotesize Tools:Sima}

\textbf{Gold Lowell} Aliases: Gold Lowell (SecureWorks),Boss Spider (CrowdStrike). {\footnotesize Tools: Mimikatz, PSExec and SamSam.}


\textbf{Oilrig} Aliases:OilRig (Palo Alto),APT 34 (FireEye),Helix Kitten (CrowdStrike),Twisted Kitten (CrowdStrike),Crambus (Symantec),Chrysene (Dragos). {\footnotesize Tools:Alma Communicator, BONDUPDATER, certutil, DistTrack, Fox Panel, Glimpse,GoogleDrive RAT, Helminth, HighShell, HyperShell, IRN2, ISMAgent, ISMDoor,ISMInjector, Jason, LaZagne, Mimikatz, OopsIE, PoisonFrog, POWRUNER,QUADAGENT, RGDoor, SEASHARPEE, Shamoon, SpyNote, StoneDrill,Systeminfo, Tasklist, TwoFace and Webmask.}


\\
%
\textbf{CopyKittens} Aliases:CopyKittens (Trend Micro),Slayer Kitten (CrowdStrike). {\footnotesize Tools:Cobalt Strike, Empire, Matryoshka, TDTESS, Vminst and ZPP.}


\textbf{Charming Kitten} Aliases: Charming Kitten (CrowdStrike), Newscaster (Symantec), NewsBeef (Kaspersky), Group 83 (Talos), Parastoo (Flashpoint). {\footnotesize Tools: DownPaper, FireMalv, MacDownloader and Stealer Builder.}


\textbf{Greenbug} focuses on espionage. Its methodology includes W32.Disttrack.B aka Shamoon. Shamoon was designed primarily against energy companies in Saudi Arabia. {\footnotesize Tools: win.ismagent, win.ismdoor.}


\textbf{Magic Hound} Aliases: Magic Hound (Palo Alto)
APT 35 (Mandiant)
Cobalt Gypsy (SecureWorks)
Rocket Kitten (CrowdStrike)
TEMP.Beanie (FireEye)
Timberworm (Symantec)
Tarh Andishan (Cylance). {\footnotesize Tools: CWoolger, DistTrack, FileMalv, Ghambar, Ghole, Havij, Leash, Matryoshka RAT, Mimikatz, MPKBot, NETWoolger, PupyRAT, sqlmap, TDTESS and Woolger.}


\textbf{Elfin}Aliases: APT 33 (Mandiant), Elfin (Symantec), Magnallium (Dragos). {\footnotesize Tools: AutoIt backdoor, DarkComet, DROPSHOT, Empire, LaZagne, Mimikatz, NanoCore
RAT, NETWIRE RC, PoshC2, PowerSploit, POWERTON, PupyRAT, QuasarRAT,
Remcos, Ruler, Shamoon, SHAPESHIFT and TURNEDUP.}
	\subsection{APT Threats Sponsored by Iranian Government}

	Behind the most dangerous APT threats maliciously targeting the general public in democratic societies, there are 24 Iranian threat actors worth attention.

	\textbf{Cutting Kitten} Aliases: Cutting Kitten (CrowdStrike),TG-2889 (SecureWorks).
	{\footnotesize Tools:CsExt, Jasus, KAgent, Net Crawler, PvcOut, SynFlooder, TinyZBot, WndTest and ZhMimikatz.}


	\textbf{DNSpionage} focuses on recon.
	{\footnotesize Tools:DNSpionage and Karkoff.}

	\textbf{Mabna Institute} Aliases: Mabna Institute (real name), Silent Librarian (SecureWorks)


	\textbf{MuddyWater} Aliases: MuddyWater (Palo Alto),
	Seedworm (Symantec),
	TEMP.Zagros (FireEye),
	Static Kitten (CrowdStrike).
	{\footnotesize Tools:ChromeCookiesView, chrome-passwords, CLOUDSTATS, CrackMapExec,
	DELPHSTATS, EmpireProject, FruityC2, Koadic, LaZagne, Meterpreter, Mimikatz.
	MZCookiesView, PowerSploit, POWERSTATS, SHARPSTATS, Shoorback and
	Smbmap.}




	\textbf{Domestic Kitten} focuses on spyware in mobile.

	\textbf{DarkHydrus} Aliases:DarkHydrus (Palo Alto),LazyMeerkat (Kaspersky).
	{\footnotesize Tools:Cobalt Strike, Mimikatz, Phishery and RogueRobin}



	\textbf{Clever Kitten} Aliases: Clever Kitten (CrowdStrike), Group 41 (Talos)

	Tools: Acunetix Web Vulnerability Scanner, PHP Webshell RC SHELL

	\textbf{Flying Kitten} Aliases: Flying Kitten (CrowdStrike),Ajax Security Team (FireEye),Group 26 (Talos). {\footnotesize Tools: Sayyad and Stealer.}



	\textbf{Group5} {\footnotesize Tools: DroidJack, NanoCore RAT and njRAT}

	\textbf{Madi} Aliases: Madi (Kaspersky)
	Mahdi (Kaspersky).
	{\footnotesize Tools: Madi}


	% The Madi attacks qualify as APT, however, because they are also go after industrial designs, meaning there is IP theft, he said. Once on a system, Madi is capable of not only stealing data from infected Windows machines, but also monitoring email and instant messages, recording audio, capturing keystrokes, and taking screenshots of victims' computers. Researchers at Seculert and Kaspersky worked in concert to sinkhole the malware's command and control servers and analyze eight months of the campaign. Their efforts uncovered a targeted attack campaign with more than 800 victims in Iran, Israel, and other countries from around the globe.


	\textbf{Cyber fighters of Izz Ad-Din Al Qassam} focuses on DDoS in finance.
	% Since September 2012, nearly 50 U.S. financial institutions have been targeted in over 200 distributed denial of service (DDoS) attacks, according to the U.S. Department of Homeland Security. A Middle Eastern hacking collective known as the Izz ad-Din al-Qassam Cyber Fighters has claimed credit for the assaults, and U.S. intelligence officials have repeatedly blamed the attacks on hacker groups backed by the Iranian government.

	\textbf{Chafer} Aliases: Chafer (Symantec), APT 39 (Mandiant). {\footnotesize
	Tools: ASPXSpy, CACHEMONEY, EternalBlue,HTTPTunnel, MechaFlounder Mimikatz, NBTScan, Non-sucking Service Manager (NSSM), Plink, POWBAT, Pwdump, Remcom, Remexi, SEAWEED, SMB hacking tools, UltraVNC and Windows, Credential Editor.}



	\textbf{Cadelle} Tools: ANTAK and Cadelspy.

	\textbf{Prince of Persia} Aliases: Infy (Palo Alto),Prince of Persia (Palo Alto),Operation Mermaid (360).
	{\footnotesize Tools: Foudre, Infy, Mermaid}


	% Some victims infected with Infy versions 15-24 still used the C2 server us1s2[.]strangled[.]net, which remained in the hands of the attacker. In early June the attackers used this C2 to issue instructions to download new Infy “M” version 8.0 from us1s2[.]strangled[.]net/bdc.tmp. This was the first time we had observed an Infy variant being directly updated to Infy “M”. This used camouflage name “Macromedia v4”, changed from “v3” seen in Infy v31. They also removed the voice recording capability in this version.
	% https://unit42.paloaltonetworks.com/unit42-prince-of-persia-game-over/
	\\
	\textbf{Iridium} {\footnotesize Tools:China Chopper, Ckife Webshells, LazyCat and reGeorge.}

	\textbf{Leafminer} Aliases:Leafminer (Symantec)
	Raspite (Dragos). {\footnotesize Tools:Imecab, LaZagne, PhpSpy and Mimikatz.}



	\textbf{Sima} {\footnotesize Tools:Sima}

	\textbf{Gold Lowell} Aliases: Gold Lowell (SecureWorks),Boss Spider (CrowdStrike). {\footnotesize Tools: Mimikatz, PSExec and SamSam.}



	\textbf{Oilrig} Aliases:OilRig (Palo Alto),APT 34 (FireEye),Helix Kitten (CrowdStrike),Twisted Kitten (CrowdStrike),Crambus (Symantec),Chrysene (Dragos). {\footnotesize Tools:Alma Communicator, BONDUPDATER, certutil, DistTrack, Fox Panel, Glimpse,GoogleDrive RAT, Helminth, HighShell, HyperShell, IRN2, ISMAgent, ISMDoor,ISMInjector, Jason, LaZagne, Mimikatz, OopsIE, PoisonFrog, POWRUNER,QUADAGENT, RGDoor, SEASHARPEE, Shamoon, SpyNote, StoneDrill,Systeminfo, Tasklist, TwoFace and Webmask.}


	\\
	%
	\textbf{CopyKittens} Aliases:CopyKittens (Trend Micro),Slayer Kitten (CrowdStrike). {\footnotesize Tools:Cobalt Strike, Empire, Matryoshka, TDTESS, Vminst and ZPP.}



	\textbf{Charming Kitten} Aliases: Charming Kitten (CrowdStrike), Newscaster (Symantec), NewsBeef (Kaspersky), Group 83 (Talos), Parastoo (Flashpoint). {\footnotesize Tools: DownPaper, FireMalv, MacDownloader and Stealer Builder.}




	\textbf{Greenbug} focuses on espionage. Its methodology includes W32.Disttrack.B aka Shamoon. Shamoon was designed primarily against energy companies in Saudi Arabia. {\footnotesize Tools: win.ismagent, win.ismdoor.}


	\textbf{Magic Hound} Aliases: Magic Hound (Palo Alto)
	APT 35 (Mandiant)
	Cobalt Gypsy (SecureWorks)
	Rocket Kitten (CrowdStrike)
	TEMP.Beanie (FireEye)
	Timberworm (Symantec)
	Tarh Andishan (Cylance). {\footnotesize Tools: CWoolger, DistTrack, FileMalv, Ghambar, Ghole, Havij, Leash, Matryoshka RAT, Mimikatz, MPKBot, NETWoolger, PupyRAT, sqlmap, TDTESS and Woolger.}



	\textbf{Elfin}Aliases: APT 33 (Mandiant), Elfin (Symantec), Magnallium (Dragos). {\footnotesize Tools: AutoIt backdoor, DarkComet, DROPSHOT, Empire, LaZagne, Mimikatz, NanoCore
	RAT, NETWIRE RC, PoshC2, PowerSploit, POWERTON, PupyRAT, QuasarRAT,
	Remcos, Ruler, Shamoon, SHAPESHIFT and TURNEDUP.}