2024-09-19 Mandiant: UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern NetworksUNC1860 is an Iranian state-sponsored threat actor, likely affiliated with the Ministry of Intelligence and Security (MOIS), known for its persistent and stealthy operations. It employs a variety of specialized tools, passive backdoors, and custom utilities to target high-priority networks, such as government and telecommunications entities in the Middle East.
Passive Implants: UNC1860 relies on custom-made passive backdoors like TOFULOAD and WINTAPIX, which leverage undocumented Input/Output Control (IOCTL) commands for communication, bypassing standard detection mechanisms used by EDR systems. These implants operate without initiating outbound traffic, making them difficult to detect through traditional network monitoring tools.
Windows Kernel Driver: UNC1860 repurposed a legitimate Iranian antivirus kernel mode driver, Sheed AV, for stealthy persistence. This driver is used in TEMPLEDROP, a passive backdoor that protects its own files and other malware it deploys, preventing modification and enhancing its evasion capabilities.
Obfuscation and Encryption: The group implements custom XOR encryption and Base64 encoding/decoding libraries to avoid detection. For example, XORO, a rolling encryption module (MD5: 57cd8e220465aa8030755d4009d0117c), is used in several utilities such as TANKSHELL and TEMPLEPLAY. These encryption methods, although simple, are tailored to evade standard detection signatures.
TEMPLEPLAY and VIROGREEN Controllers: These GUI-operated malware controllers allow UNC1860 or third-party actors to manage compromised systems easily. They provide features such as:
Command execution via the Command Prompt Tab.
File transfer through Upload and Download Tabs.
Using infected systems as middleboxes through the Http Proxy Tab, facilitating RDP connections even in restricted environments.
Web Shells and Droppers: Web shells like STAYSHANTE and SASHEYAWAY are frequently deployed after initial access is achieved. These shells enable further persistence by deploying full passive backdoors, such as TEMPLEDOOR and FACEFACE, which can execute commands, transfer files, and interact with system services.
Multi-stage Implants: UNC1860 maintains a suite of "main-stage" implants with advanced capabilities, reserved for high-value targets. These implants, such as TOFULOAD and TEMPLEDROP, demonstrate the group's deep understanding of Windows kernel components and its ability to bypass security measures like kernel protections.
Reverse Engineering and Evasion: UNC1860 exhibits strong reverse engineering skills, especially evident in their repurposing of legitimate software like Windows file system filter drivers. This allows the group to manipulate system components for stealthy operations, using advanced evasion techniques like terminating Windows Event Log service threads and restarting them as needed.
