Albanian Government Organizations Targeted By Possible Iranian Threat Actors

Mandiant identified a new ransomware family dubbed ROADSWEEP which drops a politically themed ransom note suggesting it targeted the Albanian government.
In addition, a front named “HomeLand Justice” claimed credit for the disruptive activity that affected Albanian government websites and citizen services on July 18, 2022.
The “HomeLand Justice” front posted a video of the ransomware being executed on its website and Telegram channel alongside alleged Albanian government documents and residence permits of ostensible members of the Mujahedeen-e-Khalq/People’s Mojahedin Organization of Iran (MEK, also known as MKO or PMOI), an Iranian opposition organization that was formerly designated as a terrorist group by the U.S.
Department of State.

Mandiant further identified CHIMNEYSWEEP, a backdoor that uses either Telegram or actor-owned infrastructure for command-and-control and is capable of taking screenshots, listing and collecting files, spawning a reverse shell, and supports keylogging functionality.
CHIMNEYSWEEP shares code with ROADSWEEP and based on observed decoy content has likely been used to target Farsi and Arabic speakers as far back as 2012.

CHIMNEYSWEEP and ROADSWEEP share multiple code overlaps, including identical dynamic API resolution code.
The shared code includes an embedded RC4 key to decrypt Windows API function strings at run time, which are resolved using LoadLibrary and GetProcAddress calls once decrypted.
Both capabilities also share the same Base64 custom alphabet, one used to encode the decryption key, the other for command and control.
Both CHIMNEYSWEEP and ROADSWEEP use the RC4 key “8c e4 b1 6b 22 b5 88 94 aa 86 c4 21 e8 75 9d f3” and the custom Base64 alphabet “wxyz0123456789.-JKLMNOPghijklmnopqrstuvQRSTUVWXYZabcdefABCDEFGHI”.

CHIMNEYSWEEP is dropped by a self-extracting archive signed with a valid digital certificate alongside either an Excel, Word, or video file which are likely used as benign decoy documents.
However, these documents do not appear to be automatically opened when CHIMNEYSWEEP is executed.
The decoy documents have included Arabic-language lists of names, ostensibly of individuals in Lebanon, and a figure of Massoud Rajavi, the former leader of the Mujahedeen-e-Khalq (MEK), an Iranian opposition group

One day after the Albanian government announcement of the disruptive activity, an Albanian user submitted a ZEROCLEAR wiper payload to a public malware repository.
The ZEROCLEAR payload takes in command line arguments from the operator and results in corruption of the file system using the RawDisk driver.

While MANDIANT is unable to independently prove or disprove whether the ZEROCLEAR sample was used in this or any disruptive operation, the malware has previously been publicly reported to have links to Iran-nexus threat actors deploying it in support of disruptive activity in the Middle East as recently as 2020.