Back

UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks

Sept. 20, 2024, 11:36 a.m.

Tags

2024-09-20
oatboat
basewalk
unc1860

External References

https://cloud.google.com/

https://otx.alienvault.com/

Description

UNC1860 is an Iranian state-sponsored threat actor likely affiliated with Iran's Ministry of Intelligence and Security. It employs specialized tools and passive backdoors to gain initial access and persistent network access, particularly targeting government and telecommunications sectors in the Middle East. The group's capabilities include providing initial access for other actors, using GUI-operated malware controllers, and maintaining a diverse collection of passive implants. UNC1860's arsenal includes utilities for defense evasion, kernel-level drivers, and custom implementations of encryption methods. The actor demonstrates advanced Windows OS knowledge and reverse engineering skills, making it a formidable threat capable of supporting various objectives from espionage to network attacks.

Date

Published Created Modified
Sept. 20, 2024, 11:10 a.m. Sept. 20, 2024, 11:10 a.m. Sept. 20, 2024, 11:36 a.m.

Indicators

fe14edf4db2a9838f15aaf24a5837ffc5c901313d6fd2fe60d15401154e44406

fa2c5fa2814d4db288bf8733edc4f1a78cd2c72cde90f42cf5b14162ac648042

da450c639c9a50377233c0f195c3f6162beb253f320ed57d5c9bb9c7f0e83999

c3fa9432243e1a2ab1991ab4c07a19392038e6a8e817e5fea0232c4caabbb950

c0dc609e6fc8801bb902d14910c3ffd69d6bd5a26389836446dc4c23565ddcc7

a2598161e1efff623de6128ad8aafba9da0300b6f86e8c951e616bd19f0a572b

a052413e65e025cbefdddff6eeae91161de17ffec16d3a741dd9b7c33d392435

6f0a38c9eb9171cd323b0f599b74ee571620bc3f34aa07435e7c5822663de605

596b2a90c1590eaf704295a2d95aae5d2fec136e9613e059fd37de4b02fd03bb

36b61f94bdfc86e736a4ee30718e0b1ee1c07279db079d48d3fe78b1578dbf03

269d7faed3a01b5ff9181df32e3fdbf7f7f193cc53e4f28aa21290343e69f3cd

1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e

2097320e71990865f04b9484858d279875cf5c66a5f6d12c819a34e2385da838

f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d

f4639c63fb01875946a4272c3515f005d558823311d0ee4c34896c2b66122596

8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330

e1ad173e49eee1194f2a55afa681cef7c3b8f6c26572f474dec7a42e9f0cdc9d

9117bd328e37be121fb497596a2d0619a0eaca44752a1854523b8af46a5b0ceb

1146b1f38e420936b7c5f6b22212f3aa93515f3738c861f499ed1047865549cb

7495c1ea421063845eb8f4599a1c17c105f700ca0671ca874c5aa5aef3764c1c

3875ed58c0d42e05c83843b32ed33d6ba5e94e18ffe8fb1bf34fd7dedf3f82a7

c5b4542d61af74cf7454d7f1c8d96218d709de38f94ccfa7c16b15f726dc08c0

Attack Patterns

ROADSWEEP

WINTAPIX

BABYWIPER

TEMPLELOCK

ROTPIPE

BASEWALK

SASHEYAWAY

STAYSHANTE

SPARKLOAD

FACEFACE

TEMPLEDROP

TOFUDRV

TEMPLEDOOR

VIROGREEN

OATBOAT

TEMPLEPLAY

UNC1860

T1562.002

T1207

T1006

T1505.003

T1543.003

T1583

T1571

T1014

T1095

T1573

T1055

T1140

T1027

T1553

T1112

T1190

T1078

T1068

T1059

CVE-2019-0604

Additional Informations

Telecommunications

Government

Albania

Iraq

Qatar

Saudi Arabia

Israel