Group5

Also known as: G0043, Group5

Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack. Citizen Lab Group5

📅 Activity 2016 — 2016
🧭 ATT&CK G0043
2016
2016

Introduction

Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack. Citizen Lab Group5

Activities and Tactics

Information pending cataloguing.

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

ATT&CK technique IDs (denormalized)

Notable Indicators of Compromise (IOCs)

No atomic indicators are listed in this profile. The APTnotes snapshot indexes 1 public reports that may contain IOCs; see Source Attribution for dataset links.

Malware and Tools

  • SPACESHIP
  • PowerDuke
  • POWERSTATS
  • Power Loader
  • POWERSOURCE
  • DroidJack
  • Androrat
  • Windows Remote Desktop
  • Archelaus Beta
  • PowerRAT

MITRE ATT&CK Software

Attribution and Evidence

Information pending cataloguing.

References

[1] mitre-attack [3] Citizen Lab Group5 Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.