Iranian actor targets Mideast telecom and government sectors

• Collector of specialised tooling and passive backdoors for gaining initial access and remaining in critical networks for prolonged periods.
• UNC1860 has crafted malware within the kernel of Windows, having very high-level access and control over the system.

The Iranian threat actor UNC1860, affiliated with the country’s Ministry of Intelligence (MOIS), is a collector of specialised tooling and passive backdoors for gaining initial access and remaining in critical networks for prolonged periods, Google’s Mandiant warns.

The Google-owned security firm has observed UNC1860 specialising in initial access provision. The actor uses specialised tools to compromise networks on behalf of other Iranian threat groups, targeting the telecommunications and government sectors in the Middle East.

Reportedly, UNC1860 was behind attacks in Israel in late October 2023, and Albania in 2022, providing initial access. UNC1860 collaborates with other MOIS-affiliated groups such as APT34.

Backdoor access

Previously, Check Point researchers shed light on another Iranian threat actor Void Manticore, that specialises in the destructive phase of the attacks, delivering payloads to erase critical information and corrupt systems.

Mandiant, in February this year, had said on a concerning trend of suspected espionage activities linked to Iranian actor UNC1549, which is believed to be associated with the threat group Tortoiseshell,  targeting the aerospace, aviation, and defense industries across several Middle Eastern nations, including Israel and the United Arab Emirates (UAE), with potential implications for Turkey, India, and Albania.

Tortoiseshell, which has established ties to Iran’s Islamic Revolutionary Guard Corps (IRGC), has previously engaged in efforts to compromise supply chains by focusing on defense contractors and information technology providers.

Mandiant identified the specialised tooling used by UNC1860. Malware controllers have a graphic user interface, suited to facilitate a hand-off to other threat groups.

Network detection solutions

Additionally, the threat actor maintains “an arsenal of utilities and collection of “main-stage” passive backdoors designed to gain strong footholds into victim networks and establish persistent, long-term access.

The collection reveals sophisticated reverse engineering capabilities. UNC1860 has crafted malware within the kernel of Windows, having very high-level access and control over the system.

It was repurposed from a legitimate Iranian anti-virus software filter driver. Two malware controllers for remote access to victim networks are tracked as TEMPLEPLAY and VIROGREEN.

“UNC1860 is a formidable threat actor that likely supports various objectives ranging from espionage to network attack operations,” Mandiant says.

“This actor’s adeptness in gaining initial access to target environments represents a valuable asset for the Iranian cyber ecosystem that can be exploited to answer evolving objectives as needs shift.”

Like many other threat actors specialising in initial access, UNC1860 was observed scanning IP addresses in an attempt to identify exposed vulnerabilities. Those were predominantly located in Saudi Arabia. UNC1860 relies on a command-line tool to validate credentials across multiple domains, they also target VPN servers.

The hackers are opportunistic and try to exploit vulnerable internet-facing servers. They deploy a suite of implants that are designed to be stealthier than common backdoors.

“These implants demonstrate the group’s keen understanding of the Windows operating system (OS) and network detection solutions, reverse engineering capabilities of Windows kernel components, and detection evasion capabilities.”

On compromised servers, UNC1860 selectively installs backdoors with GUI-operated controllers. These controllers can provide third-party actors, who have no prior knowledge about the target environment, with remote access to infected networks via Remote Desktop Protocol (RDP).

“These controllers additionally could provide third-party operators an interface that walks operators through how to deploy custom payloads and perform other operations such as conducting internal scanning and exploitation within the target network,” the report showed.