Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Nation-State

Iranian APT Operating as Initial Access Provider to Networks in the Middle East

Iranian state-sponsored threat actor UNC1860 is operating as an initial access provider to high-profile networks in the Middle East.

Mandiant has dived into the operations of UNC1860, an Iranian advanced persistent threat (APT) actor that appears to act as an initial access provider to high-profile networks in the Middle East.

Likely an opportunistic state-sponsored hacking group targeting government and telecommunications entities in the Middle East, Mandiant says UNC1860 shows similarities with other Iran-linked threat actors and appears to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS).

The group’s arsenal includes specialized tooling such as GUI-operated malware controllers, dubbed TemplePlay and ViroGreen, enable other threat actors to remotely access victim networks via RDP and to control previously installed malware, Mandiant said in a new report.

The initial access role played by UNC1860 is also reinforced by observed activity attributed to suspected APT34 actors on the networks of UNC1860 victims.

“UNC1860 gains initial access to victim environments in an opportunistic manner via the exploitation of vulnerable internet-facing servers leading to web shell deployment. After obtaining an initial foothold, the group typically deploys additional utilities and a selective suite of passive implants that are designed to be stealthier than common backdoors,” Mandiant researchers said.

The threat actor operates utilities and backdoors designed to create a strong foothold on the victim’s network and to maintain long-term access, including a Windows kernel mode driver extracted from a legitimate Iranian antivirus software filter.

The hacking group’s web shells and droppers, including StayShante and SasheyAway, can be used in hand-off operation, with the latter embedding full passive backdoors, such as TempleDoor, FaceFace, and SparkLoad.

TemplePlay, Mandiant notes, is a .NET-based controller for the TempleDoor passive backdoor, which can be used as a middlebox to access a target server not accessible directly from the internet.

Advertisement. Scroll to continue reading.

A custom framework to exploit SharePoint servers vulnerable to CVE-2019-0604, the ViroGreen controller provides post-exploitation capabilities, including vulnerability scanning, payload control, backdoor deployment, command execution, and file download/upload.

To fly under the radar, the threat actor’s passive implants do not initiate outbound traffic, receive inbound traffic from volatile sources, use HTTPS to encrypt traffic, load drivers without triggering critical errors, leverage undocumented I/O control commands (the Tofudrv and TofuLoad implants), and implement a utility (TempleLock) for detection evasion (RotPipe and TempleDrop).

“These capabilities demonstrate that UNC1860 is a formidable threat actor that likely supports various objectives ranging from espionage to network attack operations. As tensions continue to ebb and flow in the Middle East, we believe this actor’s adeptness in gaining initial access to target environments represents a valuable asset for the Iranian cyber ecosystem,” Mandiant added.

Related: US Preparing Criminal Charges in Iran Hack Targeting Trump: AP Sources

Related: Official: Russia, Iran Turmoil Limited Meddling in US Vote

Related: Iran’s Nuclear Agency Says Email Server Hacked

Related: Iran Says Foils Cyberattack Targeting Internet Providers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.