Skip to content

Hide Navigation Hide TOC

Group5 - G0043 (7331c66a-5601-4d3f-acf6-ad9e3035eb40)

Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)

Cluster A Galaxy A Cluster B Galaxy B Level
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern Group5 - G0043 (7331c66a-5601-4d3f-acf6-ad9e3035eb40) Intrusion Set 1
NanoCore - S0336 (b4d80f8b-d2b9-4448-8844-4bef777ed676) Malware Group5 - G0043 (7331c66a-5601-4d3f-acf6-ad9e3035eb40) Intrusion Set 1
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Group5 - G0043 (7331c66a-5601-4d3f-acf6-ad9e3035eb40) Intrusion Set 1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Group5 - G0043 (7331c66a-5601-4d3f-acf6-ad9e3035eb40) Intrusion Set 1
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Group5 - G0043 (7331c66a-5601-4d3f-acf6-ad9e3035eb40) Intrusion Set 1
njRAT - S0385 (d906e6f7-434c-44c0-b51a-ed50af8f7945) Malware Group5 - G0043 (7331c66a-5601-4d3f-acf6-ad9e3035eb40) Intrusion Set 1
NanoCore - S0336 (b4d80f8b-d2b9-4448-8844-4bef777ed676) Malware Audio Capture - T1123 (1035cdf2-3e5f-446f-a7a7-e8f6d7925967) Attack Pattern 2
NanoCore - S0336 (b4d80f8b-d2b9-4448-8844-4bef777ed676) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
NanoCore - S0336 (b4d80f8b-d2b9-4448-8844-4bef777ed676) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
NanoCore - S0336 (b4d80f8b-d2b9-4448-8844-4bef777ed676) Malware Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf) Attack Pattern 2
NanoCore - S0336 (b4d80f8b-d2b9-4448-8844-4bef777ed676) Malware Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern 2
NanoCore - S0336 (b4d80f8b-d2b9-4448-8844-4bef777ed676) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
NanoCore - S0336 (b4d80f8b-d2b9-4448-8844-4bef777ed676) Malware Disable or Modify System Firewall - T1686 (eec096b8-c207-43df-b6c1-11523861e452) Attack Pattern 2
NanoCore - S0336 (b4d80f8b-d2b9-4448-8844-4bef777ed676) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
NanoCore - S0336 (b4d80f8b-d2b9-4448-8844-4bef777ed676) Malware Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 2
NanoCore - S0336 (b4d80f8b-d2b9-4448-8844-4bef777ed676) Malware Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 2
NanoCore - S0336 (b4d80f8b-d2b9-4448-8844-4bef777ed676) Malware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 2
NanoCore - S0336 (b4d80f8b-d2b9-4448-8844-4bef777ed676) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
NanoCore - S0336 (b4d80f8b-d2b9-4448-8844-4bef777ed676) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 2
Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4) Attack Pattern njRAT - S0385 (d906e6f7-434c-44c0-b51a-ed50af8f7945) Malware 2
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern njRAT - S0385 (d906e6f7-434c-44c0-b51a-ed50af8f7945) Malware 2
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643) Attack Pattern njRAT - S0385 (d906e6f7-434c-44c0-b51a-ed50af8f7945) Malware 2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern njRAT - S0385 (d906e6f7-434c-44c0-b51a-ed50af8f7945) Malware 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern njRAT - S0385 (d906e6f7-434c-44c0-b51a-ed50af8f7945) Malware 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern njRAT - S0385 (d906e6f7-434c-44c0-b51a-ed50af8f7945) Malware 2
Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33) Attack Pattern njRAT - S0385 (d906e6f7-434c-44c0-b51a-ed50af8f7945) Malware 2
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern njRAT - S0385 (d906e6f7-434c-44c0-b51a-ed50af8f7945) Malware 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern njRAT - S0385 (d906e6f7-434c-44c0-b51a-ed50af8f7945) Malware 2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern njRAT - S0385 (d906e6f7-434c-44c0-b51a-ed50af8f7945) Malware 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern njRAT - S0385 (d906e6f7-434c-44c0-b51a-ed50af8f7945) Malware 2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern njRAT - S0385 (d906e6f7-434c-44c0-b51a-ed50af8f7945) Malware 2
Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf) Attack Pattern njRAT - S0385 (d906e6f7-434c-44c0-b51a-ed50af8f7945) Malware 2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern njRAT - S0385 (d906e6f7-434c-44c0-b51a-ed50af8f7945) Malware 2
Compile After Delivery - T1027.004 (c726e0a2-a57a-4b7b-a973-d0f013246617) Attack Pattern njRAT - S0385 (d906e6f7-434c-44c0-b51a-ed50af8f7945) Malware 2
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern njRAT - S0385 (d906e6f7-434c-44c0-b51a-ed50af8f7945) Malware 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern njRAT - S0385 (d906e6f7-434c-44c0-b51a-ed50af8f7945) Malware 2
Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830) Attack Pattern njRAT - S0385 (d906e6f7-434c-44c0-b51a-ed50af8f7945) Malware 2
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern njRAT - S0385 (d906e6f7-434c-44c0-b51a-ed50af8f7945) Malware 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern njRAT - S0385 (d906e6f7-434c-44c0-b51a-ed50af8f7945) Malware 2
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern njRAT - S0385 (d906e6f7-434c-44c0-b51a-ed50af8f7945) Malware 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern njRAT - S0385 (d906e6f7-434c-44c0-b51a-ed50af8f7945) Malware 2
Windows Host Firewall - T1686.003 (291ede6c-1473-454c-b614-5ac5ea63c987) Attack Pattern njRAT - S0385 (d906e6f7-434c-44c0-b51a-ed50af8f7945) Malware 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern njRAT - S0385 (d906e6f7-434c-44c0-b51a-ed50af8f7945) Malware 2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern njRAT - S0385 (d906e6f7-434c-44c0-b51a-ed50af8f7945) Malware 2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern njRAT - S0385 (d906e6f7-434c-44c0-b51a-ed50af8f7945) Malware 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern njRAT - S0385 (d906e6f7-434c-44c0-b51a-ed50af8f7945) Malware 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern njRAT - S0385 (d906e6f7-434c-44c0-b51a-ed50af8f7945) Malware 2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern njRAT - S0385 (d906e6f7-434c-44c0-b51a-ed50af8f7945) Malware 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern njRAT - S0385 (d906e6f7-434c-44c0-b51a-ed50af8f7945) Malware 2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern njRAT - S0385 (d906e6f7-434c-44c0-b51a-ed50af8f7945) Malware 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 3
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33) Attack Pattern 3
Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern 3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 3
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Compile After Delivery - T1027.004 (c726e0a2-a57a-4b7b-a973-d0f013246617) Attack Pattern 3
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern 3
Disable or Modify System Firewall - T1686 (eec096b8-c207-43df-b6c1-11523861e452) Attack Pattern Windows Host Firewall - T1686.003 (291ede6c-1473-454c-b614-5ac5ea63c987) Attack Pattern 3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 3