Description
[Group5](https://attack.mitre.org/groups/G0043) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://attack.mitre.org/groups/G0043) has used two commonly available remote access tools (RATs), [njRAT](https://attack.mitre.org/software/S0385) and [NanoCore](https://attack.mitre.org/software/S0336), as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)
Techniques Used (TTPs)
- T1056.001 — Keylogging (collection, credential-access)
- T1113 — Screen Capture (collection)
- T1070.004 — File Deletion (defense-evasion)
- T1027.013 — Encrypted/Encoded File (defense-evasion)
Total TTPs: 4