AA22-264A Iranian Cyber Actors Conduct Cyber Operations Against the Government of Albania
Indicators
On September 21, 2022, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released this joint Cybersecurity Advisory to provide information on recent cyber operations against the Government of Albania in July and September 2022. This advisory provides a timeline of activity observed, from initial access to execution of encryption and wiper attacks dating back to May 2022. This activity has been attributed to Iranian state cyber actors identifying as HomeLand Justice.
For more information about this activity, to include detection and mitigation recommendations, please see Advisory "AA22-264A Iranian Cyber Actors Conduct Cyber Operations Against the Government of Albania."
//node() | //@*
DISCLAIMER: This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise. This document is distributed as TLP:WHITE: Disclosure is not limited. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp.
2022-09-22T00:00:00Z
Malicious File Indicator
File Hash Watchlist
MD5
59A85E8EC23EF5B5C215CD5C8E5BC2AB
Malicious File Indicator
File Hash Watchlist
mellona.exe
MD5
78562BA0069D4235F28EFD01E3F32A82
Malicious File Indicator
File Hash Watchlist
MD5
8F766DEA3AFD410EBCD5DF5994A3C571
Malicious File Indicator
File Hash Watchlist
MD5
81E123351EB80E605AD73268A5653FF3
Malicious File Indicator
File Hash Watchlist
App_Web_bckwssht.dll
41984
MD5
E9B6ECBF0783FA9D6981BBA76D949C94
SHA1
49FD8DE33AA0EA0C7432D62F1DDCA832FAB25325
SHA256
CAD2BC224108142B5AA19D787C19DF236B0D12C779273D05F9B0298A63DC1FE5
SSDEEP
384:coY4jnD7l9VAk1dtrGBlLGYEX1tah8dgNyamGOvMTfdYN5qZAsP:hlXAkHRGBlUUh8cFmpv6feYLP
Malicious File Indicator
File Hash Watchlist
ClientBin.aspx
56561
MD5
A9FA6CFDBA41C57D8094545E9B56DB36
SHA1
E03EDD9114E7A0138D1309034CAD6B461AB0035B
SHA256
7AD64B64E0A4E510BE42BA631868BBDA8779139DC0DAAD9395AB048306CC83C5
Malicious File Indicator
File Hash Watchlist
win.bat
MD5
1635E1ACD72809479E21B0AC5497A79B
SHA1
14B8C155E01F25E749A9726958606B242C8624B9
SHA256
BAD65769C0B416BB16A82B5BE11F1D4788239F8B2BA77AE57948B53A69E230A6
SSDEEP
3:LjTFKCkRErG+fyM1KDCFUF82G:r0aH1+DF82G
Malicious File Indicator
File Hash Watchlist
rwdsk.sys
MD5
8F6E7653807EBB57ECC549CEF991D505
SHA1
5E061701B14FAF9ADEC9DD0B2423FF3CFC18764B
SHA256
3C9DC8ADA56ADF9CEBFC501A2D3946680DCB0534A137E2E27A7FCB5994CD9DE6
SSDEEP
768:E31ySCpoCbXnfDbEaJSooKIDyE9aBazWlEAusxsia:0gyCb3MFKIHO4Ausxta
Malicious File Indicator
File Hash Watchlist
disable-defender.exe
MD5
60AFB1E62AC61424A542B8C7B4D2CF01
SHA1
E866CC6B1507F21F688ECC2EF15A64E413743DA7
SHA256
45BF0057B3121C6E444B316AFAFDD802D16083282D1CBFDE3CDBF2A9D0915ACE
SSDEEP
6144:t2WhikbJZc+Wrbe/t1zT/p03BuGJ1oh7ISCLun:t2WpZnW+/tVoJ1
Malicious File Indicator
File Hash Watchlist
cl.exe
145920
MD5
7B71764236F244AE971742EE1BC6B098
SHA1
F22A7EC80FBFDC4D8ED796119C76BFAC01E0A908
SHA256
E1204EBBD8F15DBF5F2E41DDDC5337E3182FC4DAF75B05ACC948B8B965480CA0
SSDEEP
3072:vv2ADi7yOcE/YMBSZ0fZX4kpK1OhJrDwM:vv2jeQ/flfZbKM
Malicious File Indicator
File Hash Watchlist
win.bat
765
MD5
18E01DEE14167C1CF8A58B6A648EE049
SHA1
FCE0DB6E66D227D3B82D4564446EDE0C0FD7598C
SHA256
EC4CD040FD14BFF86F6F6E7BA357E5BCF150C455532800EDF97782836E97F6D2
SSDEEP
12:wbYVJ69/TsdLd6sdLd3mTDwfV+EVTCuwfV+EVTCuwfV+EVTCuwfV+EVTCuwfV+Et:wq69/kZxZ3mTDY9HY9HY9HY9HY9j
Malicious File Indicator
File Hash Watchlist
goxml.jpg
MD5
0738242A521BDFE1F3ECC173F1726AA1
SHA1
683EAEC2B3BB5436F00B2172E287DC95E2FF2266
SHA256
63DD02C371E84323C4FD9A161A75E0F525423219E8A6EC1B95DD9EDA182AF2C9
SSDEEP
12288:ME0p1RE70zxntT/ylTyaaSMn2fS+0M6puxKfJbDKrCxMe5fPSC2tmxVjpJT/n37p:MHyUt7yQaaPXS6pjar+MwrjpJ7VIbZg
Malicious File Indicator
File Hash Watchlist
GoXml.exe
C:\ProgramData\Microsoft\Windows\GoXml.exe
44520
MD5
BBE983DBA3BF319621B447618548B740
SHA1
5D117D8EF075F3F8ED1D4EDCC0771A2A0886A376
SHA256
F116ACC6508843F59E59FB5A8D643370DCE82F492A217764521F46A856CC4CB5
SSDEEP
768:+OFu8Q3w6QzfR5Jni6SQD7qSFDs6P93/q0XIc/UB5EPABWX:RFu8QAFzffJui79f13/AnB5EPAkX
Reconnaissance - Gather Victim Network Information [T1590]
Initial Access - Exploit Public-Facing Application [T1190]
Execution - Command and Scripting Interpreter: Windows Command Shell [T1059.003]
Persistence - Create Account [T1136]
Privilege Escalation - Exploitation for Privilege Escalation [T1068]
Defense Evasion - Deobfuscate/Decode Files or Information [T1140]
Defense Evasion - Modify Registry [T1112]
Defense Evasion - Obfuscated Files or Information [T1027]
Credential Access - OS Credential Dumping: LSASS Memory [T1003.001]
Lateral Movement - Remote Services: Remote Desktop Protocol [T1021.001]
Lateral Movement - Remote Services: SMB/Windows Admin Shares [T1021.002]
Command and Control - Standard Application Layer Protocol [T1071]
Exfiltration - Exfiltration Over Web Service [T1567]
Impact - Data Encrypted for Impact [T1486]
Impact - Disk Wipe [T1561]