Nazar

Also known as: SIG37, Nazar

This actor was identified by Juan Andres Guerrero-Saade from the SIG37 cluster as published in the ShadowBrokers’ ‘Lost in Translation’ leak. Earliest known sighting potentially dates back to as far as 2008 with a confirmed center of activity around 2010-2013. The actor name is derived from a PDB debug string fragment: ‘khzer’. Victimology indicates targeting of Iran, assessed with low confidence based on VT file submission locations. Nazar employs a modular toolkit where a main dropper silently registers multiple DLLs as OLE controls in the Windows registry. Functionality includes keylogging, sound and screen grabbing, as well as traffic capture using the MicroOlap Packet Sniffer library.

Introduction

This actor was identified by Juan Andres Guerrero-Saade from the SIG37 cluster as published in the ShadowBrokers’ ‘Lost in Translation’ leak. Earliest known sighting potentially dates back to as far as 2008 with a confirmed center of activity around 2010-2013. The actor name is derived from a PDB debug string fragment: ‘khzer’. Victimology indicates targeting of Iran, assessed with low confidence based on VT file submission locations. Nazar employs a modular toolkit where a main dropper silently registers multiple DLLs as OLE controls in the Windows registry. Functionality includes keylogging, sound and screen grabbing, as well as traffic capture using the MicroOlap Packet Sniffer library.

Activities and Tactics

Information pending cataloguing.

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • SOUNDBITE
  • Back Orifice
  • Back Orifice 2000
  • Lost Door
  • Windows Remote Desktop

Attribution and Evidence

Information pending cataloguing.

References

References pending cataloguing.