Iranian APT UNC1860, Linked to MOIS, Plays Key Role in Cyber Intrusions in Middle East

September 20, 2024

An Iranian advanced persistent threat (APT) group, likely affiliated with the country's Ministry of Intelligence and Security (MOIS), is serving as an initial access facilitator, providing remote access to target networks. This group, tracked by Google's Mandiant as UNC1860, shares characteristics with intrusion sets monitored by Microsoft, Cisco Talos, and Check Point.

UNC1860 first emerged in July 2022, associated with damaging cyber attacks in Albania using a ransomware strain called ROADSWEEP, the CHIMNEYSWEEP backdoor, and a ZEROCLEAR wiper variant. Subsequent attacks in Albania and Israel involved new wipers named No-Justice and BiBi.

Mandiant describes UNC1860 as a significant threat actor, possessing a range of passive backdoors designed to establish footholds in victim networks and maintain long-term access without drawing attention. Among these tools are two GUI-operated malware controllers, TEMPLEPLAY and VIROGREEN, which provide other MOIS-linked threat actors with remote access to victim systems using the remote desktop protocol (RDP).

These controllers are designed to offer third-party operators an interface that provides guidance on how custom payloads can be deployed and post-exploitation activities like internal scanning can be executed within the target network. Mandiant has identified overlaps between UNC1860 and another APT group, APT34, with organizations compromised by APT34 in 2019 and 2020 previously infiltrated by UNC1860, and vice versa.

Both groups have been seen shifting their focus to targets in Iraq. The attack chains involve leveraging initial access gained through opportunistic exploitation of vulnerable internet-facing servers to drop web shells and droppers like STAYSHANTE and SASHEYAWAY. These lead to the execution of implants, such as TEMPLEDOOR, FACEFACE, and SPARKLOAD, embedded within them.

VIROGREEN is a custom framework used to exploit vulnerable SharePoint servers with CVE-2019-0604. It controls STAYSHANTE, along with a backdoor referred to as BASEWALK. TEMPLEPLAY, on the other hand, serves as the .NET-based controller for TEMPLEDOOR. It supports backdoor instructions for executing commands via cmd.exe, uploading and downloading files from the infected host, and establishing a proxy connection to a target server.

The adversary is believed to have a diverse collection of passive tools and main-stage backdoors that align with its initial access, lateral movement, and information gathering goals. As tensions continue to rise and fall in the Middle East, this actor's skill in gaining initial access to target environments represents a valuable asset for the Iranian cyber ecosystem that can be exploited to meet evolving objectives as needs change.

This development comes as the U.S. government disclosed Iranian threat actors' ongoing attempts to influence and undermine the upcoming U.S. elections by stealing non-public material from former President Donald Trump's campaign. Iran's escalation of its cyber operations against its perceived rivals also comes at a time when the country has become increasingly active in the Middle East region.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned last month that the Iranian APT Lemon Sandstorm has carried out ransomware attacks by secretly partnering with NoEscape, RansomHouse, and BlackCat groups. Analysis by Censys of the hacking group's attack infrastructure has since uncovered other, currently active hosts that are likely part of it based on commonalities based on geolocation, Autonomous System Numbers (ASNs), and identical patterns of ports and digital certificates.

Latest News

• Critical CSA Vulnerability Exploited in Attacks: Ivanti Issues Warning
• GitLab Issues Security Updates for Critical SAML Authentication Bypass Vulnerability
• Zero-Click Vulnerabilities in macOS Calendar Risk iCloud Data Exposure
• Critical Remote Code Execution Vulnerability in VMware vCenter Server Patched by Broadcom
• Advanced Persistent Threat Group 'Void Banshee' Exploits Microsoft Zero-Day Vulnerabilities