Analysis Summary

The Ministry of Intelligence and Security (MOIS) is probably connected to an Iranian advanced persistent threat (APT) threat actor that is now serving as an initial access facilitator, granting remote access to target networks.

Google-owned Mandiant is tracking the activity cluster under the pseudonym UNC1860. According to Mandiant, this activity cluster is comparable to intrusion sets being tracked under Storm-0861 (previously DEV-0861), ShroudedSnooper, and Scarred Manticore. UNC1860's collection of specialized tooling and passive backdoors is a crucial component that helps it achieve several goals, including serving as a likely initial access provider and being able to permanently access high-priority networks across the Middle East, like those in the government and telecommunication sectors.

The group first surfaced in July 2022 with destructive cyberattacks using the CHIMNEYSWEEP backdoor, the ROADSWEEP ransomware strain, and a ZEROCLEAR wiper variant (also known as Cl Wiper). Subsequent intrusions in Albania and Israel used new wipers known as No-Justice and BiBi (also known as BABYWIPER). Mandiant characterized UNC1860 as a strong threat actor with many passive backdoors intended to get access to victim networks and establish a persistent presence without drawing notice.

Two GUI-operated malware controllers known as TEMPLEPLAY and VIROGREEN are among these tools; they are purported to give other threat actors connected to MOIS remote access to victim environments via the remote desktop protocol (RDP). In particular, these controllers are made to give third-party operators access to an interface that gives guidance on how to carry out post-exploitation tasks like internal scanning inside the target network and how to deliver bespoke payloads.

UNC1860 and APT34 (also known as Hazel Sandstorm, Helix Kitten, and OilRig) have overlaps in that UNC1860 previously infiltrated organizations that APT34 affected in 2019 and 2020, and vice versa. Additionally, researchers have lately drawn attention to the fact that both clusters have been seen to rotate toward targets in Iraq. Through the use of web shells and droppers like SASHEYAWAY and STAYSHANTE, the attack chains leverage initial access obtained through opportunistic exploitation of vulnerable internet-facing servers. The latter allows for the execution of implants like TEMPLEDOOR, FACEFACE, and SPARKLOAD that are embedded within it.

Using CVE-2019-0604, a customized framework called VIROGREEN is utilized to take advantage of weak SharePoint systems. It is in charge of BASEWALK, a backdoor, and STAYSHANTE. Post-exploitation capabilities offered by the framework include tasking, managing post-exploitation payloads, executing commands, uploading and downloading files, and controlling backdoors (such as the BASEWALK and STAYSHANTE web shells) and compatible agents.

For its part, TEMPLEPLAY (also known as Client Http internally) acts as TEMPLEDOOR's .NET-based controller. It can upload and download files to and from the compromised host, use a proxy connection to reach a target server and provide backdoor instructions for using cmd.exe to execute commands. The adversary is thought to possess a wide range of passive tools and main-stage backdoors that are in line with its objectives for lateral movement, intelligence gathering, and initial access.

Researchers think this actor's skill at getting initial access to target areas represents a valuable asset for the Iranian cyber ecosystem that can be used to meet changing objectives as needs change, especially as tensions in the Middle East continue to rise and fall.

Impact

• Unauthorized Access
• Code Execution
• Sensitive Data Theft

Indicators of Compromise

MD5

• 1176381da7dea356f3377a59a6f0e799
• 41f4732ed369f2224a422752860b0bc5
• 4029bc4a06638bb9ac4b8528523b72f6
• 126bc1c30fba27f8bf67dce4892b1e8c
• 0c9ff0db00f04fd4c6a9160bffd85a1d
• a7693e399602eb79db537c5022dd1e01
• d9719f6738dbfaa21be7f184512fe074
• 17b27e6aa0ab6501f11bb4d2e0f829ff
• 4dd6250eb2d368f500949952eb013964
• 69fd67c115349abb4a313230a1692642
• 7f5f5f290910d256e6b012f898c88bf3
• c90ec587e3333dabb647ebc182673460
• efe8043e1b4214640c5f7b5ddf737653
• a90236e4962620949b720f647a91f101

SHA-256

• c5b4542d61af74cf7454d7f1c8d96218d709de38f94ccfa7c16b15f726dc08c0
• 90b3f7fefe8e11b8eacaba09a3c14ed6aa66a4c8d798440d912d0a663917a265
• ce59bbe3ef7e16423718de50639d2278eab9c1f08f998677ba6fbd36695f316a
• f4639c63fb01875946a4272c3515f005d558823311d0ee4c34896c2b66122596
• 36b61f94bdfc86e736a4ee30718e0b1ee1c07279db079d48d3fe78b1578dbf03
• 2538767f13218503bccf31fccb74e7531994b69a36a3780b53ba5020d938af20
• b66919a18322aa4ce2ad47d149b7fe38063cd3cfa2e4062cd1a01ad6b3e47651
• ed3745f82c7873adca16833b718e20090ac6a8c74e7004b854af29ef1551de75
• f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d
• 8fdd00243ba68cadd175af0cbaf860218e08f42e715a998d6183d7c7462a3b5b
• 8e4f7a19b09e118ebda79726bf17e9d37ff4b66f4143762dd97ca80340388963
• 7a1fee8d879bc16e63d05c79c5419bd19ee308c54831d7ee196cfa8281498a06
• ff51aa6cad655ddd99a525b78419cd746453fb2adcb689ba34ca3ab6e78b1347
• 1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e

SHA1

• 32a1651bb810bbe58df73bc2d2c2fa702ca7abd0
• bf674e6834eeb76cad3ab9c6b7c77f417d417b7f
• fa01d9bd5c2d96e31fdb26155c935e51c0a8245f
• 7820e56fbcde06ff766239e58c53610151962def
• a4044e90be800adab547a238f8639db3cf92ebdc
• 8bbdb9f51a2ecc6d22cb6912da81d7eae47ee4dc
• 2fd571c0e0f9bcc21f323f71dd0d73a499f38df6
• ed6f8317c4a2e6b99f6dc8d80d6dd17078854e9a
• 6802e2d2d4e6ee38aa513dafd6840e864310513b
• e5551c768ba25cf52044bcf4367fed1f2064f474
• c89b9ae0f278f3ff6331faa9162a94c27645cf0f
• 08d279ddb03dbf30c07adf06727d79816550d08c
• 5bf6c62ae190f2826bcd0af31e1a1fc86ae21a42
• 7f7d144cc80129d0db3159ea5d4294c34b79b20a

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure all operating systems and software are up to date with the latest security patches.
• Employ reliable antivirus and antimalware software to detect and block known threats.
• Regularly update these tools to maintain the latest threat intelligence.
• Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
• Segment your network to limit lateral movement for attackers.
• Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications being executed.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to respond to and mitigate any potential breaches quickly.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that info-stealers and other types of malware could exploit.