ROADSWEEP
ROADSWEEP is a ransomware that was deployed against Albanian government networks during HomeLand Justice along with the CHIMNEYSWEEP backdoor.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
ROADSWEEP can decrypt embedded scripts prior to execution.[1][2] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
ROADSWEEP has been placed in the start up folder to trigger execution upon user login.[3] |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
ROADSWEEP can open cmd.exe to enable command execution.[1][3] |
| Enterprise | T1120 | 外围设备发现 |
ROADSWEEP can identify removable drives attached to the victim's machine.[1] |
|
| Enterprise | T1480 | 执行保护 |
ROADSWEEP requires four command line arguments to execute correctly, otherwise it will produce a message box and halt execution.[1][2][3] |
|
| Enterprise | T1486 | 数据加密以实现影响 |
ROADSWEEP can RC4 encrypt content in blocks on targeted systems.[1][2][3] |
|
| Enterprise | T1083 | 文件和目录发现 |
ROADSWEEP can enumerate files on infected devices and avoid encrypting files with .exe, .dll, .sys, .lnk, or . lck extensions.[1][2][3] |
|
| Enterprise | T1489 | 服务停止 | ||
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
The ROADSWEEP binary contains RC4 encrypted embedded scripts.[1][2][3] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
ROADSWEEP can use embedded scripts to remove itself from the infected host.[1][3] |
| Enterprise | T1491 | .001 | 篡改: Internal Defacement |
ROADSWEEP has dropped ransom notes in targeted folders prior to encrypting the files.[3] |
| Enterprise | T1082 | 系统信息发现 |
ROADSWEEP can enumerate logical drives on targeted devices.[1][3] |
|
| Enterprise | T1490 | 系统恢复抑制 |
ROADSWEEP has the ability to disable |
|
| Enterprise | T1559 | 进程间通信 | ||
| Enterprise | T1553 | .002 | 颠覆信任控制: Code Signing |
ROADSWEEP has been digitally signed with a certificate issued to the Kuwait Telecommunications Company KSC.[2] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1001 | HEXANE |
HEXANE probed victim infrastructure in support of HomeLand Justice.[3] |
Campaigns
| ID | Name | Description |
|---|---|---|
| C0038 | HomeLand Justice |
References
- Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
- CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.