Iranian Hackers Using “Mamba” Ransomware?

Are Iranian hackers involved in using the “Mambaransomware (or possibly be behind the ransomware)? It seems unclear but an article in November by Brian Krebs indicate there could be a connection.

What is Mamba?

According to Sophos, the Mamba ransomware scrambles every disk sector, including the Master File Table (MFT), the operating system, all applications, files and all personal data. Mamba installs the DiskCryptor Full Disk Encryption (FDE) tool (this type of software asks for a password at bootup, and decrypts every sector as it is read/encrypts every sector as it is written).

The details

The infection vector Mamba uses is not exactly known, but probably uses social engineering in the form of an email link for a user to click on. 

If a user does stupidly cause the Mamba ransomware to be downloaded, then on Windows system they would see the user account control (UAC) window appear asking to install MAMBA.EXE (!) What happens next if the software is allowed to install is:

  • Mamba installs itself as a Windows service (called DefragmentationService) using the local SYSTEM privileges.
  • The computer then reboots.
  • After reboot, Mamba then installs DiskCryptor and is located in the directory C:DC22.
  • At this stage, the user could recover their computer (the encryption is not complete): using the utility DCRYPT and selecting the Decrypt option, the user can see in plaintext, the file called log_file.txt will contain the password! However, if the user allows the computer to reboot beforehand, then the computer will be encrypted and the user has no way to know the password.
On older Windows system using Master Boot Records (MBR) on the hard drive, you will see something similar to what the Petya ransomware uses; on newer Windows systems, you wont see the message. In both cases, your only option is to wipe your hard drive; all data is gone.

The link with Iran

The blog of Brian Krebs( shows that Iranians may have used Mamba against targets, including the San Francisco Municipal Transportation Agency (SFMTA). Fare station terminals displayed the message, “You are Hacked. ALL Data Encrypted.” The messaged showed that the contact for the key to decrypt the computers could be obtained by contacting the email address

According to Krebs, the email address of was hacked by another hacker, who found the same credentials worked for the crytom2016@yandex email account. A server identified used in association with the user of the cryptom2016 account was used to scan for various vulnerabilities on the Internet, including for Oracle products, especially “Weblogic unserialize exploit” and the Primavera project portfolio management software.

The server used to launch the Oracle vulnerability scans had detailed logs about the date, time and Internet address of each login. A review of the more than 300 Internet addresses used to administer the server revealed that it has been controlled almost exclusively from Internet addresses in Iran

The attack server logs also included web links or IP addresses of each victim server, listing the hacked credentials and having notes made next to each victim by the attacker. The notes appeared to be transliterated Farsi

User account names on the attack server held other clues of Iranian involvement, such as names like “Alireza,” “Mokhi.” Alireza may pertain to Ali Reza, the seventh descendant of the prophet Muhammad. However… these are common names in and around Iran and could also indicate surrounding countries of origin (such names is also popular in Turkey and the Arab world). 

I would say, knowing what my country is capable of, that the Iranian state or Iranian cyber criminals ARE involved in using Mamba ransomware to extort money to further other cyber activities.


New Phishing Campaign Targets LinkedIn Account Holders

The site warning of new phishing emails targeting LinkedIn users, which aim to trick recipients into clicking on a link by claiming that their LinkedIn accounts have been blocked due to inactivity.
The phishing email states: “To ensure that your online services with LinkedIn will no longer be interrupted / You will be asked to log into your account to confirm this email address. Be sure to log in with your current primary email address.”
Recipients who click on the link in the email are taken to a fraudulent LinkedIn login page designed to harvest email addresses and passwords.
LinkedIn users should always be wary of any unsolicited emails claiming to come from the company. LinkedIn is obviously a rich source of personal information which can be exploited for further social engineering attacks, which could prove costly both to the individuals and the organizations concerned

Operation Saffron Rose

Ajax Security Teamwhich has been targeting both US defense companies as well as those in Iran is using popular anti-censorship tools to bypass internet censorship controls in the country.
This group which has its roots in popular Iranian hacker forums such as Ashiyaneand Shabgard, has engaged in website defacements since 2010. However by 2014 this group is transitioned to malware-based espionage with use of methodology consistent with other advanced persistent threats in this region.
It is unclear if the Ajax Security Team operates in isolation or is part of a larger coordinated effort. We observed this group uses varied social engineering tactics to lure targets to infect themselves with malware. They use malware tools that do not appear to be publicly available. Although we did not see the use of to infect victims, members of the Ajax Security Team previously used exploit code in web site defacement operations.
The objectives of this group are consistent with Iran’s efforts to control political dissent and expand offensive cyber capabilities but we believe that members of the group may also be involved in traditional cybercrime. This indicates that there is a considerable gray area between the cyber espionage capabilities of Iran hacker groups and any direct Iranian government or military involvement.
Although the Ajax Security Team’s capabilities remain unclear, we believe that their current operations are somewhat successful. We assess that if these actors continued the current pace of their operations they will improve their capabilities in the mid-term.