Iranian hackers have been using Microsoft Azure cloud infrastructure in attacks targeting aerospace, aviation, and defense organizations in the Middle East, Mandiant reports.
As part of a campaign ongoing since at least June 2022, the hacking group, tracked as UNC1549, has been deploying two unique backdoors dubbed MiniBike and MiniBus, to spy on organizations in Israel and the United Arab Emirates (UAE), as well as Albania, India, and Turkey.
The group’s activities overlap with Smoke Sandstorm and Tortoiseshell, a threat actor linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) that previously targeted defense contractors and IT providers.
“The potential link between this activity and the Iranian IRGC is noteworthy given the focus on defense-related entities and the recent tensions with Iran in light of the Israel-Hamas war,” Mandiant notes.
In November 2023, the cybersecurity firm discovered the MiniBus backdoor hosted on a fake recruiting website that used the same template as another fake job website employed by UNC1549 in 2022. Like other UNC1549 campaigns, a .NET application was used to deliver the malware.
Throughout the campaign, spear-phishing emails and social media messages were used to distribute links to staged websites containing fake job offers or Israel-Hamas related content.
The websites hosted the MiniBike and MiniBus backdoors, which were designed to establish communication with command-and-control (C&C) infrastructure hosted on Microsoft Azure.
“The access to the device can be leveraged for multiple purposes, including intelligence collection and as a stepping stone for further access into the targeted network,” Mandiant notes.
UNC1549 was also seen deploying several evasion techniques to remain under the radar, including the use of domain naming schemes resembling legitimate sites, the use of job-themed lures, and the use of Azure and servers located in the targeted geographies to hide malicious traffic.
In addition to the MiniBike and MiniBus backdoors, the threat actor has employed LightTrail, a tunneling tool based on an open source Socks4a proxy.
Written in C++ and used since at least June 2022, the MiniBike backdoor is usually bundled with a launcher and a legitimate executable (SharePoint, OneDrive, or a fake Hamas-related .NET application).
The MiniBus backdoor is more advanced, but similar in functionality and code base with MiniBike. The main difference between the two is that MiniBus also supports payload execution and has a process enumeration feature.
LightRail shows code similarities with the backdoors, uses the same Azure C&C infrastructure, and has been deployed against the same targets.
Mandiant also observed UNC1549 using fake login pages to harvest victim credentials and identified job description documents for positions at a drone manufacturing company on the same infrastructure hosting MiniBus.
Related: Iran Ramps Up Cyberattacks on Israel Amid Hamas Conflict: Microsoft
Related: US Slaps Sanctions on ‘Dangerous’ Iranian Hackers Linked to Water Utility Hacks
Related: Iranian Hackers Targeting US Defense Industrial Base Entities With New Backdoor
