Mandiant has dived into the operations of UNC1860, an Iranian advanced persistent threat (APT) actor that appears to act as an initial access provider to high-profile networks in the Middle East.
Likely an opportunistic state-sponsored hacking group targeting government and telecommunications entities in the Middle East, Mandiant says UNC1860 shows similarities with other Iran-linked threat actors and appears to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS).
The group’s arsenal includes specialized tooling such as GUI-operated malware controllers, dubbed TemplePlay and ViroGreen, enable other threat actors to remotely access victim networks via RDP and to control previously installed malware, Mandiant said in a new report.
The initial access role played by UNC1860 is also reinforced by observed activity attributed to suspected APT34 actors on the networks of UNC1860 victims.
“UNC1860 gains initial access to victim environments in an opportunistic manner via the exploitation of vulnerable internet-facing servers leading to web shell deployment. After obtaining an initial foothold, the group typically deploys additional utilities and a selective suite of passive implants that are designed to be stealthier than common backdoors,” Mandiant researchers said.
The threat actor operates utilities and backdoors designed to create a strong foothold on the victim’s network and to maintain long-term access, including a Windows kernel mode driver extracted from a legitimate Iranian antivirus software filter.
The hacking group’s web shells and droppers, including StayShante and SasheyAway, can be used in hand-off operation, with the latter embedding full passive backdoors, such as TempleDoor, FaceFace, and SparkLoad.
TemplePlay, Mandiant notes, is a .NET-based controller for the TempleDoor passive backdoor, which can be used as a middlebox to access a target server not accessible directly from the internet.
A custom framework to exploit SharePoint servers vulnerable to CVE-2019-0604, the ViroGreen controller provides post-exploitation capabilities, including vulnerability scanning, payload control, backdoor deployment, command execution, and file download/upload.
To fly under the radar, the threat actor’s passive implants do not initiate outbound traffic, receive inbound traffic from volatile sources, use HTTPS to encrypt traffic, load drivers without triggering critical errors, leverage undocumented I/O control commands (the Tofudrv and TofuLoad implants), and implement a utility (TempleLock) for detection evasion (RotPipe and TempleDrop).
“These capabilities demonstrate that UNC1860 is a formidable threat actor that likely supports various objectives ranging from espionage to network attack operations. As tensions continue to ebb and flow in the Middle East, we believe this actor’s adeptness in gaining initial access to target environments represents a valuable asset for the Iranian cyber ecosystem,” Mandiant added.
Related: US Preparing Criminal Charges in Iran Hack Targeting Trump: AP Sources
Related: Official: Russia, Iran Turmoil Limited Meddling in US Vote
Related: Iran’s Nuclear Agency Says Email Server Hacked
Related: Iran Says Foils Cyberattack Targeting Internet Providers