Written by: Stav Shulman, Matan Mimran, Sarah Bock, Mark Lechtik
Executive Summary
UNC1860 is a persistent and opportunistic Iranian state-sponsored threat actor that is likely affiliated with Iran’s Ministry of Intelligence and Security (MOIS). A key feature of UNC1860 is its collection of specialized tooling and passive backdoors that Mandiant believes supports several objectives, including its role as a probable initial access provider and its ability to gain persistent access to high-priority networks, such as those in the government and telecommunications space throughout the Middle East.
UNC1860’s tradecraft and targeting parallels with Shrouded Snooper, Scarred Manticore, and Storm-0861, Iran-based threat actors publicly reported to have targeted the telecommunications and government sectors in the Middle East. These groups have also reportedly provided initial access for destructive and disruptive operations that targeted Israel in late October 2023 with BABYWIPER and Albania in 2022 using ROADSWEEP. Mandiant cannot independently corroborate that UNC1860 was involved in providing initial access for these operations. However, we identified specialized UNC1860 tooling including GUI-operated malware controllers, which are likely designed to facilitate hand-off operations, further supporting the initial access role played by UNC1860.
UNC1860 additionally maintains an arsenal of utilities and collection of “main-stage” passive backdoors designed to gain strong footholds into victim networks and establish persistent, long-term access. Among these main-stage backdoors includes a Windows kernel mode driver repurposed from a legitimate Iranian anti-virus software filter driver, reflecting the group’s reverse engineering capabilities of Windows kernel components and detection evasion capabilities. These capabilities demonstrate that UNC1860 is a formidable threat actor that likely supports various objectives ranging from espionage to network attack operations. As tensions continue to ebb and flow in the Middle East, we believe this actor’s adeptness in gaining initial access to target environments represents a valuable asset for the Iranian cyber ecosystem that can be exploited to answer evolving objectives as needs shift.
Teamwork Makes the Dream Work: UNC1860’s Role as an Initial Access Provider
Mandiant identified two custom, GUI-operated malware controllers tracked as TEMPLEPLAY and VIROGREEN that we assess were used to provide a team outside of UNC1860 remote access to victim networks. This tooling, coupled with public reporting and evidence suggesting that the group collaborates with MOIS-affiliated groups such as APT34, strengthens the assessment that UNC1860 acts as an initial access agent.
Using Sustained Access to Support Initial Access Operations
In 2020, Mandiant responded to an engagement in which UNC1860 used the victim’s network as a staging area to conduct additional scanning and exploitation operations against unrelated entities. The actor was observed scanning IP addresses predominantly located in Saudi Arabia in an attempt to identify exposed vulnerabilities. UNC1860 also used a command-line tool to validate credentials of accounts and email addresses across multiple domains belonging to Qatari and Saudi Arabian entities, and later targeted VPN servers of entities in the region.
UNC1860 Overlaps with APT34
Mandiant responded to several engagements in 2019 and 2020 in which organizations compromised by suspected APT34 actors were previously compromised by UNC1860. Similarly, organizations previously compromised by suspected APT34 actors were later compromised by UNC1860, suggesting the group may play a role in assisting with lateral movement. Mandiant additionally identified recent indications of operational pivoting to Iraq-based targets by both APT34-related clusters and UNC1860.
Web Shell and Droppers
UNC1860 web shells and droppers, such as STAYSHANTE and SASHEYAWAY, deployed and placed on compromised servers by the group after gaining initial access have the potential to be used in hand-off operations based on their functionality. In March 2024, the Israeli National Cyber Directorate was alerted to wiper activity targeting Israeli entities across various sectors in Israel, including managed service providers, local governments, and academia; technical indicators included the unique STAYSHANTE web shell and the SASHEYAWAY dropper we attribute to UNC1860.
-
STAYSHANTE is typically installed using names masquerading as Windows server file names or dependencies, and is controlled by the VIROGREEN custom framework described as follows.
-
SASHEYAWAY has a low detection rate that allows for the smooth execution of full passive backdoors, such as TEMPLEDOOR, FACEFACE, and SPARKLOAD, embedded within it.
Custom, GUI-Operated Malware Controllers
UNC1860 GUI-operated malware controllers TEMPLEPLAY and VIROGREEN could provide third-party actors who have no previous knowledge of the target environment the ability to remotely access infected networks via RDP and to control previously installed malware on victim networks with ease. These controllers additionally could provide third-party operators an interface that walks operators through how to deploy custom payloads and perform other operations such as conducting internal scanning and exploitation within the target network.
Figure 1: Illustration of collaborator actor's command and control (C2 or C&C) used to utilize existing UNC1860 implant infrastructure in compromised network
TEMPLEPLAY Controller
TEMPLEPLAY (MD5: c517519097bff386dc1784d98ad93f9d) is a .NET-based controller for the TEMPLEDOOR passive backdoor. It is internally named Client Http and consists of several tabs, each one facilitating control of a separate backdoor command.
The Command Prompt Tab (Figure 2) sends a command line to execute on the target host. The default command is cmd /c 2 > &1 with parameter whoami.
Figure 2: TEMPLEPLAY GUI, Command Prompt Tab
The Upload File Tab (Figure 3) sends a file from a local path to a target path on the remote machine using a POST request. The default target path is C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS.
Figure 3: Upload File Tab
The Download File Tab (Figure 4) is used to obtain a file from a given path on the infected machine. The default path on the infected machine is C:\Programdata\1.txt.
Figure 4: Download File Tab
The Http Proxy Tab (Figure 5) allows a remote machine infected with TEMPLEDOOR to be used as a middlebox that forwards data to a chosen target server. It appears that it is primarily intended to facilitate an RDP connection with the target server, most likely in cases where the latter is not accessible directly over the internet due to network boundaries (such as a NAT or a firewall), but may be accessible via the TEMPLEDOOR infected machine.
Figure 5: HTTP Proxy Tab
The URLs Tab (Figure 6) includes URL endpoints that are used when connecting to the infected machine. An endpoint string is chosen at random from the lists defined in this tab. These endpoints correspond to the ones that are defined in the TEMPLEDOOR sample (MD5:c57e59314aee7422e626520e495effe0).
Figure 6: URLs Tab
The TEMPLEPLAY GUI also includes a Test Backdoor link, which creates a GET request with the string wOxhuoSBgpGcnLQZxipa as the relative URI and checks for the string UsEPTIkCRUwarKZfRnyjcG13DFA in the response. This corresponds to an echo \ ping mechanism that was seen in use in the TEMPLEDOOR samples (MD5:b219672bcd60ce9a81b900217b3b5864)and MD5:c57e59314aee7422e626520e495effe0).
Additional links include the Explore link that opens a new Explorer window in the host where the controller runs, and the Http Setting link points to a set of configuration parameters that pertain to the HTTP requests sent between the controller and the TEMPLEDOOR passive backdoor.
VIROGREEN Controller
VIROGREEN is a custom framework used to exploit vulnerable SharePoint servers with CVE-2019-0604 (Figure 7). The framework provides post-exploitation capabilities including scanning for and exploiting CVE-2019-0604; controlling post-exploitation payloads, backdoors (including the STAYSHANTE web shell and the BASEWALK backdoor) and tasking; controlling a compatible agent regardless of how the agent has been implanted; and executing commands and uploading/downloading files.
Additional details on TEMPLEPLAY and VIROGREEN can be found in the Technical Annex.
Figure 7: VIROGREEN GUI
UNC1860 Malware: Gaining Persistent Access
UNC1860 gains initial access to victim environments in an opportunistic manner via the exploitation of vulnerable internet-facing servers leading to web shell deployment. After obtaining an initial foothold, the group typically deploys additional utilities and a selective suite of passive implants that are designed to be stealthier than common backdoors. These provide a higher degree of operational security by removing the dependency for classic C2 infrastructure, making detection more difficult for network defenders. Cisco and Check Point have provided extensive analysis on UNC1860’s passive implants that correspond to OATBOAT, a loader that loads and executes shellcode payloads; Fortinet additionally provided analysis regarding the Windows kernel driver, WINTAPIX, which has similar code to a malicious driver we track as TOFUDRV (Figure 8 and Figure 9).
A key feature of UNC1860 includes its maintenance of this diverse collection of passive/listener-based utilities that support the group’s initial access and lateral movement goals. We believe the group additionally maintains a smaller collection of “main-stage” backdoors that have greater capabilities than the usual web shells and small .NET utilities that may be deployed for select high-priority victims in the telecommunications sector. These implants demonstrate the group’s keen understanding of the Windows operating system (OS) and network detection solutions, reverse engineering capabilities of Windows kernel components, and detection evasion capabilities.
-
Passive implants do not initiate outbound traffic from the victim network to a C2 server. Further, the inbound traffic containing commands or payloads can arrive from any volatile source (e.g., VPN nodes within the target country, from another victim, or even internally from another part of the victim network). This makes network monitoring more difficult. Web shells and passive implants leverage HTTPS-encrypted traffic so commands/payloads cannot be extracted from captured network traffic.
-
Both passive implants TOFUDRV and TOFULOAD leverage undocumented Input/Output Control commands for communication, which requires knowledge of the OS and can lower the chances of this traffic being detected by endpoint detection and response (EDR) solutions.
-
Loading drivers is a "high risk / high reward" situation as loading them without creating a critical error screen requires extensive knowledge both of the OS internals and victim environments; however, using them promises lower detection rates and possibilities akin to filtering drivers, which act as middlemen allowing for the inspection, modification, or blocking of network traffic before it reaches the device or application, as well as assets like file system objects and registry entries.
-
The passive backdoor TEMPLEDROP repurposed an Iranian AV software Windows file system filter driver named Sheed AV (MD5: 0c93cac9854831da5f761ee98bb40c37) for the purpose of protecting some of the files it deploys as well as its own file from modification.
-
A .NET-based utility for defense evasion tracked as TEMPLELOCK was observed being implemented in both foothold utilities such as ROTPIPE and more complex passive implants such as TEMPLEDROP. TEMPLELOCK is capable of terminating threats associated with the Windows Event Log service and restarting the service’s operation on demand.
Figure 8: Driver file protection logic in WINTAPIX (MD5: 286bd9c2670215d3cb4790aac4552f22)
Figure 9: Driver file protection logic in TOFUDRV (MD5: b4b1e285b9f666ae7304a456da01545e)
UNC1860 Unique Artifacts Suggest Consistent Development Support
In addition to the previous observations, we identified the following recurring artifacts related to the group’s independent implementation of Base64 encoding/decoding and XOR encryption/decryption in .NET code, despite these functions being available in build-in .NET code.
The intent of the independent implementation of these functions is not entirely clear. Nevertheless, it is highly likely that using such custom libraries bypasses common detections by EDRs and other security tools—detections designed to identify usage combinations of functions commonly seen in malware. Additionally, using these custom libraries may allow better compatibility if any of the built-in functions change in a specific version of a .NET control to ensure the group’s tooling is always compatible with its encryption and encoding schemes and/or to better help evade detection.
-
We observed the same encoding method using the Base64 algorithm to encode and decode data sent between controllers and proxy servers. In several cases, we identified the reuse of a seemingly misspelled Base64 DLL using the name “bsae64” in both foothold utilities deployed via SASHEYAWAY and passive implants including TEMPLEDOOR.
-
We observed the same rolling encryption module, XORO (MD5: 57cd8e220465aa8030755d4009d0117c),dropped by the TANKSHELL utility; TUNNELBOI network tunneller capable of establishing a connection with a remote host, managing web shells on the network, and creating RDP connections; and the TEMPLEPLAY controller.
Foothold Utilities and Backdoors and Malware Use for Longer Term Persistence
Mandiant is tracking multiple foothold utilities and backdoors used in UNC1860 initial access operations. These generally use custom obfuscation methods that can lower detection rates and make analysis more difficult by renaming strings and function names. Additionally, we are tracking numerous code families that we consider to be UNC1860 “main-stage” implants that further increase the group’s persistence in victim environments.
Please see the Technical Annex for more information.
Additional Protection Information for Google Cloud Customers
For Google SecOps Enterprise+ customers, SecOps rules have been released to the Emerging Threats rule pack, and IOCs listed in this blog post are available for prioritization with Applied Threat Intelligence.
Indicators of Compromise (IOCs)
A Google Threat Intelligence Collection featuring IOCs related to the activity described in this post is now available for registered users.
MD5 Hashes
1176381da7dea356f3377a59a6f0e799 |
41f4732ed369f2224a422752860b0bc5 |
4029bc4a06638bb9ac4b8528523b72f6 |
126bc1c30fba27f8bf67dce4892b1e8c |
0c9ff0db00f04fd4c6a9160bffd85a1d |
a7693e399602eb79db537c5022dd1e01 |
d9719f6738dbfaa21be7f184512fe074 |
17b27e6aa0ab6501f11bb4d2e0f829ff |
4dd6250eb2d368f500949952eb013964 |
69fd67c115349abb4a313230a1692642 |
7f5f5f290910d256e6b012f898c88bf3 |
c90ec587e3333dabb647ebc182673460 |
efe8043e1b4214640c5f7b5ddf737653 |
a90236e4962620949b720f647a91f101 |
b26d54b7da7b2bf600104f69da4ea00f |
d87ca3f830b8b53fde358bb64900f6af |
c50ae2c4b76f0d5724ec240568c78c4f |
57cd8e220465aa8030755d4009d0117c |
4b2c78bb2c439998cff0cc097a14b942 |
4abcf21b63781a53bbc1aa17bd8d2cbc |
a3ea0d13848a104c28d035a9d518acc2 |
bd6464f12bb6f7f02b6ffebb363d8e5f |
f89be788e4adf665acf1a8ef8fcaa133 |
f292e61774c267c3787fdfcace50ea7b |
c11a4e4a2d484513f79bd127a0387b0c |
14e54ff4805840e656efb8cd38de4751 |
3d5d05f230ae702c04098de512d93d48 |
a038975255d3dda636d86ccd307f7838 |
31f2369d2e38c78f5b3f2035dba07c08 |
c21eefc65cda49f17ddd1d243a7bffb5 |
c8fa0ce3ae6a13af640607ea606c55f9 |
2cece71e107d12ffd74b2fb24bf339a6 |
fa1c6f7a5e02374b9d33de2578cb3399 |
1e896f026246872b2feb4f8e3e093815 |
57c916da83cc634af22bde0ad44d0db3 |
07db3058e32fe5f36823dc7092cd7d5b |
3dd829fb27353622eff34be1eabb8f18 |
1e6679cd25d1bb127a0bec665adcf21e |
2e803d28809be2a0216f25126efde37b |
2398a83f10329a107801d3d23d06f7cb |
73fb0fe5cd96a14a4f85639223aec6a8 |
85427a8a47c4162b48d8dfb37440665d |
a500561c0b374816972094c2aa90da2a |
a65ee1a82975ee4c8d4e70219e1bfff5 |
ce537dd649a391e52c27a3f88a0a8912 |
e67687b4443f58d2b0a465e3af3caffe |
b34883fb1630db43e06a38cebfa0bce2 |
46804472541ed61cc904cd14be18fe1d |
4de802f7e61cb8c820a02e042b58b215 |
929b12bc9f9e5f8e854de1d46ebf40d9 |
f0dfb7bf01c0412891da8fa2702f4c7b |
b219672bcd60ce9a81b900217b3b5864 |
fc90907e70f18c7f6a6b9d9599b6f97c |
d1e45afbfd3424612b4a4218cc7357ef |
da0085a97c38ead734885e5cced1847f |
490590bfdeeedf44b3ae306409bb0d03 |
e86e885e6c96ac72482741d8696c17fb |
ca3f0d25f7da0e8cde8e1f367451c77a |
7b2fa099d51fa3885766f6d60d768748 |
6626dbe74acd15d06ff6900071ef240c |