An Iranian Advanced Persistent Threat (APT) threat actor believed to be affiliated with the Ministry of Intelligence and Security (MOIS) is now acting as an initial access broker providing remote access to targeted networks.
Google-owned Mandiant tracks a cluster of pseudonymous activity UNC1860which he says has similarities to intrusion kits tracked by Microsoft, Cisco Talos and Check Point as Storm-0861 (formerly DEV-0861), Shrouded Snooperand Scarred Manticorerespectively.
“A key feature of the UNC1860 is its set of specialized tools and passive backdoors, which (…) support several purposes, including its role as a likely initial access provider and its ability to gain persistent access to high-priority networks such as those in government and telecommunications space throughout the Middle East,” the company said.
The group was first born in July 2022 in connection with devastating cyberattacks targeting Albania, with a ransomware strain called ROADSWEEP, the CHIMNEYSWEEP backdoor and a ZEROCLEAR wiper variant (aka Cl Wiper), with subsequent invasions in Albania and Israel using new wipers called No-Justice and BiBi (aka BABYWIPER).
Mandiant described UNC1860 as a “robust threat” that maintains an arsenal of passive backdoors designed to infiltrate victims’ networks and establish long-term access without attracting attention.
Among the tools are two GUI malware controllers tracked as TEMPLEPLAY and VIROGREEN, which are said to allow other MOIS-related threat actors to remotely access the victim’s environment via Remote Desktop Protocol (RDP).
In particular, these controllers are designed to provide third-party operators with an interface that offers instructions on how a custom payload can be deployed and how post-operational activities such as internal scanning can be performed on the target network.
Mandiant said it found similarities between UNC1860 and APT34 (aka Hazel Sandstorm, Helix Kitten and OilRig) in that organizations compromised by the latter in 2019 and 2020 were previously penetrated by UNC1860, and vice versa. In addition, both clusters were recently seen turning to facilities based in Iraq highlighted through Check Point.
Attack chains include using the initial access gained through opportunistic exploitation of vulnerable Internet servers to drop webshells and droppers such as STAYSHANTE and SASHEYAWAY, the latter leading to the execution of implants such as TEMPLEDOOR, FACEFACE and SPARKLOAD embedded within it .
“VIROGREEN is a custom framework used to exploit vulnerable SharePoint servers CVE-2019-0604“, the researchers said, adding that it controls STAYSHANTE along with a backdoor called BASEWALK.
“The framework provides post-exploitation capabilities including (…) post-exploitation payload control, backdoors (including the STAYSHANTE webshell and the BASEWALK backdoor) and tasks; control of a compatible agent regardless of how the agent was implanted; and command execution and file upload/download.
TEMPLEPLAY (the internal name of Client Http), for its part, serves as a .NET-based controller for TEMPLEDOOR. It supports backdoor instructions to execute commands via cmd.exe, upload/download files to and from the infected host, and proxy connections to the target server.
The adversary is assumed to have at his disposal a diverse collection of passive tools and mainstage backdoors that meet his objectives of initial access, lateral movement, and intelligence gathering.
Some of the other noteworthy tools documented by Mandiant are listed below –
- OATBOAT, a loader that loads and executes shellcode payloads
- TOFUDRV, a malicious Windows driver that intersects with WINTAPIX
- TOFULOAD, a passive implant that uses undocumented input/output control (IOCTL) commands for communication.
- TEMPLEDROP, a modified version of Iranian anti-virus software, a Windows file system filter driver called Sheed AV used to protect the files it deploys from being modified
- TEMPLELOCK, a .NET security evasion utility capable of stopping the Windows Event Log service
- TUNNELBOI, a network controller capable of establishing a connection to a remote host and managing RDP connections
“As tensions continue to ebb and flow in the Middle East, we believe this actor’s agility in gaining initial access to target environments is a valuable asset to Iran’s cyber ecosystem that can be leveraged to meet challenges that evolve as needs change “, – researcher Stav Shulman, said Matan Mimran, Sarah Bock and Mark Lehtik.
This event happened after the US government disclosed the Iranian threats ongoing attempts to influence and undermine the upcoming US election by stealing non-public campaign materials of former President Donald Trump.
“Iranian attackers in late June and early July sent unsolicited emails to individuals associated with President Biden’s campaign at the time that contained excerpts of stolen, non-public materials from former President Trump’s campaign as the body of the emails,” the government said. said.
“There is currently no information on whether these recipients have responded. In addition, Iranian hackers have continued their efforts since June to send stolen non-public materials related to former President Trump’s campaign to the US media.”
Iran’s ramping up of its cyber operations against perceived adversaries also comes at a time when the country is becoming increasingly active in the Middle East.
Late last month, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that the Iranian APT Lemon Sandstorm (aka Fox Kitten) carried out ransomware attacks in secret with the groups NoEscape, RansomHouse and BlackCat (aka ALPHV).
Censys analysis of the hacker group’s attack infrastructure has since identified other, currently active hosts that are likely part of it based on commonalities based on geolocation, Autonomous System Numbers (ASNs), and identical port patterns and digital certificates.
“Despite attempts at obfuscation, distraction and randomness, people still need to build, manage and decommission digital infrastructure,” Matt Lambright of Censys said.
“These people, even if they rely on technology to generate randomization, will almost always follow some pattern, whether it’s similar autonomous systems, geolocation, hosting providers, software, port allocation, or certificate specifications.”
