Full Report
UNC1860 is an Iranian state-sponsored threat actor, likely affiliated with Iran's Ministry of Intelligence and Security (MOIS). This group specializes in gaining persistent access to high-priority networks, especially in the government and telecommunications sectors in the Mid...
Analysis Summary
# Threat Actor: UNC1860
## Attribution & Identity
* **Actor identification:** Iranian state-sponsored threat actor.
* **Known Aliases and Associations:** Likely affiliated with Iran's Ministry of Intelligence and Security (MOIS). Techniques are closely related to other known Iranian threat groups like APT34.
## Activity Summary
The primary activity described involves UNC1860 specializing in gaining persistent access to high-priority networks. They are believed to provide initial access to other actors, facilitating more destructive attacks. The observed campaign focuses on exploiting 1-day vulnerabilities, leading to data exfiltration.
## Tactics, Techniques & Procedures
* **Initial Access:** Vulnerability exploitation (specifically 1-day vulnerabilities).
* **Persistence/C2:** Deployment of specialized, stealthy backdoors (STAYSHANTE and SASHEYAWAY) designed for long-term access.
* Hiding C2 traffic using encrypted HTTPS traffic.
* Leveraging undocumented Windows kernel drivers (e.g., WINTAPIX and TOFUDRV) for evasion.
* **Defense Evasion:** Repurposing legitimate software, such as Iranian antivirus drivers, to shield activities.
* **Execution/Control:** Use of GUI-based controllers (TEMPLEPLAY) for command execution, file upload/download, and HTTP proxying.
* **Post-Exploitation:** Deployment of webshells on targeted technologies.
## Targeting
* **Sectors:** Government and Telecommunications.
* **Geography:** The Middle East.
* **Victims:** High-priority networks within targeted sectors.
## Tools & Infrastructure
* **Malware Families Used:**
* **TEMPLEPLAY:** GUI-based command controller managing TEMPLEDOOR backdoor.
* **VIROGREEN:** Post-exploitation tool targeting vulnerable SharePoint servers.
* **TEMPLEDOOR:** Backdoor managed by TEMPLEPLAY.
* **STAYSHANTE:** Stealthy implant for maintaining long-term access.
* **SASHEYAWAY:** Stealthy implant for maintaining long-term access.
* **WINTAPIX & TOFUDRV:** Undocumented Windows kernel drivers used for stealth.
* **Infrastructure:** Not explicitly detailed, but utilizes encrypted HTTPS traffic for C2 masking.
## Implications
UNC1860 poses a significant espionage and access threat, focusing on establishing long-term, stealthy footholds within critical infrastructure (government/telecoms) in the Middle East. Their role as an initial access broker for other actors suggests the potential for subsequent, more damaging operations after compromise.
## Mitigations
* Patching of 1-day vulnerabilities immediately to prevent initial compromise.
* Enhanced monitoring for the deployment of webshells on targeted technologies such as SharePoint.
* Network monitoring focusing on identifying encrypted HTTPS C2 beaconing that leverages advanced evasion techniques (e.g., unusual kernel driver behavior or traffic patterns associated with known backdoors).