An Iranian advanced persistent attack (APT) cybercriminal group, likely affiliated with the Ministry of Intelligence and Security (MOIS), Now acts as an initial access facilitator, providing remote access to targeted networks; Mandiant, a Google-owned company, is tracking this cluster of activity under the name UNC1860, which shares similarities with sets of intrusions tracked by Microsoft, Cisco Talos, and Check Point, known respectively as Storm-0861 (formerly DEV-0861), ShroudedSnooper And Scarred Manticore.
UNC1860: what are its objectives?
“A key feature of UNC1860 is its collection of specialized tools and passive backdoors that […] support several objectives, including the role of likely initial access provider and the ability to gain persistent access to high-priority networks, such as those in the government and telecommunications sectors across the Middle East“, has declared the company.
The group first emerged in July 2022 in relation to destructive cyber attacks against Albania, which used a ransomware called ROADSWEEP, the CHIMNEYSWEEP backdoor, and a wiper variant called ZEROCLEAR (also known as Cl Wiper); subsequent intrusions In Albania and Israel they have employed new wipers called No-Justice and BiBi (also known as BABYWIPER).
Mandiant described UNC1860 as a “formidable group of cyber criminals” which maintains an arsenal of passive backdoors designed to gain entry points into victims’ networks and establish long-term access without attracting attention.
Among these tools are two GUI-operated malware controllers, known as TEMPLEPLAY and VIROGREEN, which are said to provide other MOIS-affiliated cybercriminals with remote access to victims’ environments using the Remote Desktop Protocol (RDP).
Specifically, these controllers are designed to provide third-party operators with an interface that provides instructions on how to deploy custom payloads and conduct post-exploitation activities, such as internal scanning, within the target network.
UNC1860 and the connection with other groups
Mandiant said it identified overlaps between UNC1860 and APT34 (also known as Hazel Sandstorm, Helix Kitten, and OilRig), as organizations compromised by the latter in 2019 and 2020 had previously been infiltrated by UNC1860, and vice versa. Additionally, both groups were observed targeting targets in Iraq, such as recently highlighted from Check Point.
The attack chains involve opportunistic exploitation of vulnerable servers exposed to the Internet to gain initial access, using web shells and droppers such as STAYSHANTE and SASHEYAWAY, and the latter leads to the execution of systems such as TEMPLEDOOR, FACEFACE and SPARKLOAD, which are incorporated into it.
“VIROGREEN is a custom framework used to exploit vulnerable SharePoint servers with the vulnerability CVE-2019-0604“. the researchers said, adding that it controls STAYSHANTE, along with a backdoor known as BASEWALK, which they later added: “The framework offers post-exploitation capabilities, including […] control of post-exploitation payloads, backdoors (including the STAYSHANTE web shell and the BASEWALK backdoor), and tasking; control of a compatible agent, regardless of how the agent was implanted; and executing commands, uploading/downloading files.“
TEMPLEPLAY (internally called Http Client), for its part, acts as a .NET-based controller for TEMPLEDOOR. It supports instructions to execute commands via cmd.exe, upload/download files from the infected host, and establish a proxy connection to a target server.
The adversary is believed to possess a diverse collection of leading passive and backdoor tools that are aligned to its objectives of initial access, lateral movement, and intelligence gathering.
Other tools used by UNC1860
Some of the other tools documented by Mandiant are listed below:
- OATBOATa loader that loads and executes shellcode payloads
- TOFUDRVa malicious Windows driver that overlays WINTAPIX
- TOFULOADa passive system that uses undocumented Input/Output Control (IOCTL) commands for communication
- TEMPLEDROPa repurposed version of a file system filter driver from an Iranian antivirus called Sheed AV, used to protect the files it distributes from modifications
- TEMPLELOCKa .NET-based defensive evasion utility that can stop the Windows Event Log service
- TUNNELBOIa network controller capable of establishing a connection to a remote host and managing RDP connections.
“As tensions continue to ebb and flow in the Middle East, we believe this hacker group’s ability to gain initial access to target environments represents a valuable asset to the Iranian cyber ecosystem, exploitable to respond to evolving objectives as needs change“, said researchers Stav Shulman, Matan Mimran, Sarah Bock and Mark Lechtik.
Further developments in the UNC1860 affair
The development comes as the US government has revealed the attempts in progress by Iranian groups to influence and undermine the upcoming US election by stealing non-public material from former President Donald Trump’s campaign.
“Iranian cybercriminals in late June and early July sent unsolicited emails to individuals then associated with President Biden’s campaign containing an excerpt from stolen, non-public campaign materials of former President Trump as text in the emails.“, has said the government, adding: “There is currently no information to indicate that those recipients have responded. Additionally, Iranian cybercriminals have continued their efforts since June to send stolen, non-public material associated with former President Trump’s campaign to U.S. media outlets..”
Iran’s Escalation of Cyber Attack Operations Against Its Perceived Rivals It also comes at a time when the country has become increasingly active in the Middle East region.
Late last month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that the Iranian APT Lemon Sandstorm (also known as Fox Kitten) conducted ransomware attacks by clandestinely collaborating with the NoEscape, RansomHouse, and BlackCat (also known as ALPHV) groups.
Censys’ analysis of the attack infrastructure of this hacker group later revealed other active hosts, likely part of it, based on commonalities of geolocation, autonomous system numbers (ASN), and identical port and digital certificate patterns.
“Despite attempts at obfuscation, diversion, and randomness, humans must still create, maintain, and decommission digital infrastructure.“, has said Matt Lembright of Censys, concluding: “Those humans, even if they rely on technology to create randomness, will almost always follow some kind of pattern, whether similar across autonomous systems, geolocations, hosting providers, software, port distributions, or certificate characteristics.“
#UNC1860 #Iranian #APT #Group #Facilitates #Cyber #Intrusions
