Iranian APT UNC1860 Connected to MOIS Assists Cyber Intrusions in the Middle East
An Iranian sophisticated continuous threat (APT) actor probably linked with the Ministry of Intelligence and Security (MOIS) is now playing a role as an initial access enabler that grants remote entry to target networks.
The group known as UNC1860, being monitored by Mandiant which is owned by Google, displays similarities to intrusion groups identified by Microsoft, Cisco Talos, and Check Point under different names such as Storm-0861 (previously DEV-0861), ShroudedSnooper, and Scarred Manticore respectively.
“What sets UNC1860 apart is its use of specialized tooling and passive backdoors that serve various purposes, including acting as a possible initial access provider and ensuring continuous access to critical networks, particularly those in government and telecommunications sectors in the Middle East,” as mentioned by the organization in a statement.
Initially identified in July 2022 in relation to destructive cyber incidents in Albania involving ransomware ROADSWEEP, backdoor CHIMNEYSWEEP, and ZEROCLEAR wiper variant (also known as Cl Wiper), UNC1860 has carried out subsequent attacks in Albania and Israel with new wipers named No-Justice and BiBi (or BABYWIPER).
Mandiant characterizes UNC1860 as a “potent threat actor” that possesses an array of passive backdoors designed to secure entry points into compromised networks and establish undetected long-term access.
Among the tools at their disposal are two GUI-operated malware controllers identified as TEMPLEPLAY and VIROGREEN, which are used to grant remote access to malicious actors associated with MOIS using remote desktop protocol (RDP).
Specifically, these controllers offer third-party operators an interface to guide them on deploying customized payloads and executing post-exploitation activities like internal reconnaissance within target networks.
Mandiant has highlighted connections between UNC1860 and APT34 (also known as Hazel Sandstorm, Helix Kitten, and OilRig) where the same organizations compromised by APT34 in 2019 and 2020 were found to have been infiltrated by UNC1860 and vice versa. Moreover, both groups have been observed shifting focus towards targets based in Iraq, a recent development pointed out by Check Point.
The attack chain involves leveraging initial access obtained via opportunistic exploitation of vulnerable servers facing the internet to deploy web shells and droppers such as STAYSHANTE and SASHEYAWAY, with the latter leading to the execution of implants like TEMPLEDOOR, FACEFACE, and SPARKLOAD embedded within them.
“VIROGREEN is a custom framework used for exploiting vulnerable SharePoint servers through CVE-2019-0604,” mentioned the researchers, indicating its control over STAYSHANTE along with a backdoor named BASEWALK.
“The framework facilitates post-exploitation tasks including manipulation of post-exploitation payloads, backdoors (including STAYSHANTE web shell and BASEWALK backdoor), and assigning tasks; managing any compatible agent irrespective of implantation method; and executing commands and handling file transfers.
On the other hand, TEMPLEPLAY (internally labeled as Client Http) acts as a controller for TEMPLEDOOR based on .NET. It provides backdoor commands to execute tasks through cmd.exe, transfer files to and from the compromised host, and establish proxy connections to a target server.
It is believed that the adversary possesses a diverse set of passive tools and primary backdoors to align with their objectives of initial access, lateral movement, and information collection.
Some notable tools documented by Mandiant include –
- OATBOAT, a loader responsible for executing shellcode payloads
- TOFUDRV, a malicious Windows driver that shares similarities with WINTAPIX
- TOFULOAD, a passive implant using undocumented Input/Output Control (IOCTL) commands for communication
- TEMPLEDROP, a modified version of an Iranian antivirus software Windows file system filter driver named Sheed AV used to safeguard its deployed files from tampering
- TEMPLELOCK, a defense evasion utility in .NET capable of disabling the Windows Event Log service
- TUNNELBOI, a network controller to establish connections with remote hosts and manage RDP connections
“AsAs tensions persist in the Middle East, researchers Stav Shulman, Matan Mimran, Sarah Bock, and Mark Lechtik expressed that the skillful ability of this individual to access target environments initially is a valuable asset for the Iranian cyber ecosystem. This asset can be leveraged to achieve evolving goals as priorities change,” they stated.
With the U.S. government unveiling ongoing efforts by Iranian threat actors to meddle in the upcoming U.S. elections by stealing confidential information from the campaign of former President Donald Trump, the situation has become more pronounced.
The government stated that “Iranian cyber criminals sent unwanted emails to individuals associated with President Biden’s campaign in late June and early July, embedding content stolen from former President Trump’s campaign in the messages.”
Their attempts have continued post the June incidents, with more stolen material related to Trump’s campaign being dispatched to U.S. media outlets by the Iranian cyber actors.
Iran’s escalation of cyber activities against its adversaries aligns with its increased presence in the Middle East region.
In a recent warning, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) highlighted that the Iranian APT Lemon Sandstorm (also known as Fox Kitten) executed ransomware attacks while covertly collaborating with NoEscape, RansomHouse, and BlackCat (aka ALPHV) crews.
An investigation by Censys uncovered additional active hosts linked to the hacking group, identifiable through shared geolocations, ASNs, and similar port and certificate patterns.
Censys’ Matt Lembright acknowledged that “even amidst obfuscation efforts, humans in the end must establish, operate, and deactivate digital infrastructure. These human actions, aided by technology for randomness, still exhibit patterns such as common ASNs, hosting providers, locations, software, port allocations, or certificate attributes.”
About Author
