Cyber Defense Advisors

Iranian APT UNC1860 Linked to MOIS Facilitates Cyber Intrusions in Middle East

An Iranian advanced persistent threat (APT) threat actor likely affiliated with the Ministry of Intelligence and Security (MOIS) is now acting as an initial access facilitator that provides remote access to target networks.

Google-owned Mandiant is tracking the activity cluster under the moniker UNC1860, which it said shares similarities with intrusion sets tracked by Microsoft, Cisco Talos, and Check Point as Storm-0861 (formerly DEV-0861), ShroudedSnooper, and Scarred Manticore, respectively.

“A key feature of UNC1860 is its collection of specialized tooling and passive backdoors that […] supports several objectives, including its role as a probable initial access provider and its ability to gain persistent access to high-priority networks, such as those in the government and telecommunications space throughout the Middle East,” the company said.

The group first came to light in July 2022 in connection with destructive cyber attacks targeting Albania with a ransomware strain called ROADSWEEP, the CHIMNEYSWEEP backdoor, and a ZEROCLEAR wiper variant (aka Cl Wiper), with subsequent intrusions in Albania and Israel leveraging new wipers dubbed No-Justice and BiBi (aka BABYWIPER).

Mandiant described UNC1860 as a “formidable threat actor” that maintains an arsenal of passive backdoors that are designed to obtain footholds into victim networks and set up long-term access without attracting attention.

Among these tools includes two GUI-operated malware controllers tracked as TEMPLEPLAY and VIROGREEN, which are said to provide other MOIS-associated threat actors with remote access to victim environments using remote desktop protocol (RDP).

Specifically, these controllers are designed to provide third-party operators an interface that offers instructions on the ways custom payloads could be deployed and post-exploitation activities such as internal scanning could be carried out within the target network.

Mandiant said it identified overlaps between UNC1860 and APT34 (aka Hazel Sandstorm, Helix Kitten, and OilRig) in that organizations compromised by the latter in 2019 and 2020 were previously infiltrated by UNC1860, and vice versa. Furthermore, both the clusters have been observed pivoting to Iraq-based targets, as recently highlighted by Check Point.

The attack chains involve leveraging initial access gained by opportunistic exploitation of vulnerable internet-facing servers to drop web shells and droppers like STAYSHANTE and SASHEYAWAY, with the latter leading to the execution of implants, such as TEMPLEDOOR, FACEFACE, and SPARKLOAD, that are embedded within it.

“VIROGREEN is a custom framework used to exploit vulnerable SharePoint servers with CVE-2019-0604,” the researchers said, adding that it controls STAYSHANTE, along with a backdoor referred to as BASEWALK.

“The framework provides post-exploitation capabilities including […] controlling post-exploitation payloads, backdoors (including the STAYSHANTE web shell and the BASEWALK backdoor) and tasking; controlling a compatible agent regardless of how the agent has been implanted; and executing commands and uploading/downloading files.

TEMPLEPLAY (internally named Client Http), for its part, serves as the .NET-based controller for TEMPLEDOOR. It supports backdoor instructions for executing commands via cmd.exe, upload/download files from and to the infected host, and proxy connection to a target server.

It’s believed that the adversary has in its possession a diverse collection of passive tools and main-stage backdoors that align with its initial access, lateral movement, and information gathering goals.

Some of the other tools of note documented by Mandiant are listed below –

OATBOAT, a loader that loads and executes shellcode payloads
TOFUDRV, a malicious Windows driver that overlaps with WINTAPIX
TOFULOAD, a passive implant that employs undocumented Input/Output Control (IOCTL) commands for communication
TEMPLEDROP, a repurposed version of an Iranian antivirus software Windows file system filter driver named Sheed AV that’s used to protect the files it deploys from modification
TEMPLELOCK, a .NET defense evasion utility that’s capable of killing the Windows Event Log service
TUNNELBOI, a network controller capable of establishing a connection with a remote host and managing RDP connections

“As tensions continue to ebb and flow in the Middle East, we believe this actor’s adeptness in gaining initial access to target environments represents a valuable asset for the Iranian cyber ecosystem that can be exploited to answer evolving objectives as needs shift,” researchers Stav Shulman, Matan Mimran, Sarah Bock, and Mark Lechtik said.

The development comes as the U.S. government revealed Iranian threat actors’ ongoing attempts to influence and undermine the upcoming U.S. elections by stealing non-public material from former President Donald Trump’s campaign.

“Iranian malicious cyber actors in late June and early July sent unsolicited emails to individuals then associated with President Biden’s campaign that contained an excerpt taken from stolen, non-public material from former President Trump’s campaign as text in the emails,” the government said.

“There is currently no information indicating those recipients replied. Furthermore, Iranian malicious cyber actors have continued their efforts since June to send stolen, non-public material associated with former President Trump’s campaign to U.S. media organizations.”

Iran’s ramping up of its cyber operations against its perceived rivals also comes at a time when the country has become increasingly active in the Middle East region.

Late last month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that the Iranian APT Lemon Sandstorm (aka Fox Kitten) has carried out ransomware attacks by clandestinely partnering with NoEscape, RansomHouse, and BlackCat (aka ALPHV) crews.

Censys’ analysis of the hacking group’s attack infrastructure has since uncovered other, currently active hosts that are likely part of it based on commonalities based on geolocation, Autonomous System Numbers (ASNs), and identical patterns of ports and digital certificates.

“Despite attempts at obfuscation, diversion, and randomness, humans still must instantiate, operate, and decommission digital infrastructure,” Censys’ Matt Lembright said.

“Those humans, even if they rely upon technology to create randomization, almost always will follow some sort of pattern whether it be similar Autonomous Systems, geolocations, hosting providers, software, port distributions or certificate characteristics.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.