Iranian APT Facilitating Remote Access To Target Networks
As per recent reports, an Iranian Advanced Persistent Threat (APT) hacker is now playing a facilitator role in aiding remote access to target networks. The Iranian APT hacker is believed to have affiliations with the Ministry of Intelligence and Security (MOIS). In this article, we’ll dive into these Middle East cyberattacks and uncover all the details. Let’s begin!
Iranian APT UNC1860 Tracked By Mandiant
Mandiant, a Google-owned cybersecurity firm, is tracking the UNC1860 activity cluster and has stated that it shares similarities with other intrusion sets previously tracked by Microsoft, Cisco Talos, and Check Point. These intrusion sets include:
- ShroudedSnooper.
- Scarred Manticore.
- Storm-0861, previously known as DEV-0861.
The cybersecurity firm has stated that the Iranian APT UNC1860 is a collection of malicious backdoors and tools used for various objectives. It’s believed to have probable involvement in the facilitation of initial and persistent access to high-priority networks.
It’s worth mentioning that such networks are evident in government and telecommunication sectors in the Middle East. The threat actor group behind the Iranian APT was first discovered in July 2022 when its ties to cyber attacks targeting Albania were revealed.
During those attacks, a ransomware strain called ROADSWEEP, a ZEROCLEAR wiper variant, and the CHIMNEYSWEEP backdoor were used. These attacks were followed by subsequent intrusions that used new wipers called No-Justice and BiBi.
UNC1860 Attack Tools And Techniques
Given the information available, it can be stated that the Iranian APT group is in possession of passive backdoors developed for setting up both the initial foothold and long-term access. Other tools used by the hacker group include two graphic user interface (GUI) based malware controllers known as TEMPLEPLAY and VIROGREEN.
These malware controls use the remote desktop protocol (RDP) to provide threats with remote access to the target environment. In addition, they also offer instructions pertaining to payload deployment and post-exploitation initiatives such as internal scanning.
The Iranian APT attack chain is mainly centered around leveraging the initial access to deploy web shells and droppers that include STAYSHANTE and SASHEYAWAY. After deployment, the droppers are used to execute the malware controllers. Other key tools that are part of the attack chain include:
Tool | Purpose |
OATBOAT | Loads and executes shellcode payloads . |
TOFUDRV | Malicious Windows driver used for overlapping with WINTAPIX. |
TOFULOAD | Employs undocumented Input/Output Control (IOCTL) commands for communication. |
TEMPLEDROP | Protects deployed files from modifications. |
TEMPLELOCK | .NET defense evasion utility likely used for killing the Windows Event Log service. |
TUNNELBOI | Establishes a connection with a remote host and manages RDP connections. |
Sharing their stance on the Iranian APT, cybersecurity researchers have stated that:
“As tensions continue to ebb and flow in the Middle East, we believe this actor’s adeptness in gaining initial access to target environments represents a valuable asset for the Iranian cyber ecosystem that can be exploited to answer evolving objectives as needs shift.”
Conclusion
Iranian APT UNC1860 continues to demonstrate its capabilities by deploying sophisticated tools and techniques to facilitate remote access and maintain long-term persistence in critical networks.
As tensions in the Middle East evolve, this APT remains a significant cyber threat, capable of adapting to emerging objectives. In light of such cyber threats, using robust security measures is now a necessity as it can help lower risk and ensure protection.
The sources for this piece include articles in The Hacker News and Security Affairs.