Stop and Smell the “Saffron Rose” by StealthWatch Labs

Using IOCs to uncover advanced attacks

This week, FireEye produced a report on “Operation Saffron Rose,” a cyber espionage campaign launched by an Iranian hacking group known as the Ajax Security Team. In the report, FireEye notes that Iranian hackers are quickly transitioning from hacktivism in the form of website defacements and DDoS attacks into more sophisticated, targeted attacks designed to steal data. Using a potent mix of social engineering and custom malware, this group has been targeting both Iranian dissidents (by spear phishing and injecting malware into anti-censorship tools) as well as U.S. defense organizations.

As with other targeted attacks, it is possible that this campaign will also spread to other, unintended victims. While U.S. government organizations should be on high alert, it is important for all organizations to be able to detect and thwart this and other high-profile attacks within their networks.

Operation Saffron Rose employs a malware family appropriately named ‘Stealer’ in order to collect a plethora of confidential and sensitive data from victims’ systems. Analysis of the malware by FireEye uncovered a multitude of Indicators of Compromise (IOCs) that organizations can search for within their networks to help determine whether or not they are a victim, and if so, quickly respond to the incident.

By using Lancope’s StealthWatch System to collect and analyze NetFlow, organizations can perform a flow query based on IOCs such as IP addresses and domain names to obtain evidence of a specific attack within their environment. This previous Lancope blog post explains exactly how to search for IOCs and leverage the query results.

In the case of Operation Saffron Rose, the FireEye report outlines many IOCs used to carry out the attacks. The attackers made wide use of deceptive domain names to lure their victims. The figures on p. 13 – 15 of the report depict the various IOCs that can be searched. Listed are:

IPs:
5.9.244.151
5.9.244.157
74.63.239.116
81.17.23.226
81.17.28.227
81.17.28.229
81.17.28.231
88.150.227.197

Domains:
accounts-apple[.]com
account-verify[.]net
aeroconf2014[.]org
appleid.com[.]co
intel-update[.]com
loginz[.]me
mailservermigration[.]tk
plugin-adobe[.]com
privacy-google[.]com
ultrasms[.]ir
update-mirror[.]com
users-facebook[.]com
vpnsecurityverification[.]tk
webpanelpages[.]tk
windows-essentials[.]tk
xn.facebook-06k[.]com
xn.google-yri[.]com
yahoomail.com[.]co

Whether or not you believe your organization is a victim of this particular attack, having the ability to search for IOCs within your network is crucial for surviving amidst today’s increasingly complex threat landscape.