Threat Research

ROADSWEEP Ransomware – Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations

Securonix

ROADSWEEP encrypts files across discovered drives using RC4 and marks them with a .lck extension, then performs a wipe with a self-delete to cover its tracks. The activity is part of a broader campaign involving ZEROCLEAR and CHIMNEYSWEEP, tied to a politically motivated operation against Albanian government organizations by an Iranian threat actor. #ROADSWEEP #CHIMNEYSWEEP #ZEROCLEAR #APT41 #AlbanianGovernment #IranianThreatActor

Keypoints

  • ROADSWEEP enumerates drives and encrypts files by RC4, renaming them with a “.lck” extension and preserving file timestamps for later use.
  • For each root directory, ROADSWEEP creates a ransom note and encrypts files matching an extracted extension list.
  • ZeroCLEAR (ZEROCLEAR) is a disruptive payload that corrupts the file system via the RawDisk driver and supports command-line options to wipe, install/uninstall drivers, or wipe non-system drives.
  • CHIMNEYSWEEP uses a signed dropper and a cabinet-based self-extracting installer; it relies on CMSTP to install the backdoor and uses RC4-encrypted payloads with in-memory loading to evade detection.
  • The CHIMNEYSWEEP backdoor provides capabilities such as screenshots, file collection, keylogging, and a reverse shell, with C2 domains including telegram-update.com, avira.ltd, and windowsupadates.com.
  • There is attribution to an Iranian threat actor targeting Albanian government organizations, with links to APT41-leaning behavior and use of a now-revoked Atheros signing certificate.

MITRE Techniques

  • [T1083] File and Directory Discovery – The ransomware enumerates the file system using FindFirstFileW and FindNextFileW APIs to locate files for encryption.
    “This thread enumerates the file system using the Windows FindFirstFileW and FindNextFileW APIs.”
  • [T1486] Data Encrypted for Impact – Files are encrypted in chunks with RC4 and overwritten on disk after selection by extension.
    “The encryption process takes place by renaming the file with the “.lck” extension… chunking the file’s content into blocks… encrypt the chunk using RC4, and then overwrite the file to disk.”
  • [T1070.004] File Deletion – A self-delete script is executed after encryption/wipe to remove traces.
    “Following this, the aforementioned self-delete script is executed.”
  • [T1218.011] Signed Binary Proxy Execution: CMSTP – The CHIMNEYSWEEP dropper uses CMSTP to install the backdoor, leveraging a signed payload.
    “The dropper is a signed version of a Windows Cabinet self-extracting file… The legitimate cmstp.exe will then be executed on the host which executes the backdoor.”
  • [T1053.005] Scheduled Task – The payload employs a SilentCleanup scheduled task as part of privilege-escalation/persistence.
    “This technique uses a Windows ‘SilentCleanup’ scheduled task.”
  • [T1059.001] PowerShell – If the loader cannot resolve certain exports, it reverts to invoking PowerShell to execute the second payload.
    “ If the payload can’t resolve the export CP from the loader, it reverts to invoking PowerShell with the following command…”
  • [T1059.003] Windows Command Shell – The backdoor uses Windows command execution paths and includes a reverse shell capability for attacker access.
    “Reverse shell: Contains a reverse shell which can be utilised by the attacker.”
  • [T1071.001] Web Protocols – CHIMNEYSWEEP communicates with C2 domains (web protocols) for control and data exfiltration.
    “C&C servers: telegram-update.com, avira.ltd, windowsupadates.com.”
  • [T1548.002] Bypass User Account Control – The access chain includes privilege-escalation techniques and UAC bypass mechanisms (e.g., silent cleanup and in-memory payloads).
    “If the payload can’t resolve the export… execute PowerShell… to obtain administrator privileges.”

Indicators of Compromise

  • [File Hash] df9ab47726001883b5fcf58b56b34b41 – CHIMNEYSWEEP sample UNAVAILABLE; used by backdoor components. 2 more hashes available in the dataset.
  • [File Hash] 8c8bbe3a4a23cd4cc96c12af5fb1199b – Installed by unpack.exe (MD5 shown); CHIMNEYSWEEP backdoor component.
  • [File Hash] 19068e8228b6b8f5528489fa70779b2b – Contained in wextract.exe.mui; CHIMNEYSWEEP artifact.
  • [File Hash] f3c977830bf616b9061d7aee5ce0b2f2 – CHIMNEYSWEEP backdoor component (AppxProviders.dll).
  • [File Hash] 7f6db4493c6a76eb44534306291ea85f – CHIMNEYSWEEP AppxProviders.dll backdoor component.
  • [File Hash] 3a1033cb1eb06c2cd5e91c539cf8a519 – CHIMNEYSWEEP AppxProviders.dll backdoor component.
  • [Domain] telegram-update.com – C2 domain used by CHIMNEYSWEEP backdoor; also observed avira.ltd and windowsupadates.com as C2 endpoints.
  • [Domain] avira.ltd – C2 domain used by CHIMNEYSWEEP backdoor; aligns with multiple C2 server listings.
  • [Domain] windowsupadates.com – C2 domain used by CHIMNEYSWEEP backdoor; observed in several samples.
  • [File Path] C:ProgramDataMicrosoft Installer{EA2C6B24-C590-457B-BAC8-4A0F9B13B5B8}Force – Dropped installer artifact for CHIMNEYSWEEP.
  • [File Path] C:WindowsSystem32smss.exe – Path mentioned in the dropper’s time-stamp manipulation and dropper behavior.

Read more: https://www.mandiant.com/resources/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against