UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks

Sept. 20, 2024, 11:36 a.m.

Description

UNC1860 is an Iranian state-sponsored threat actor likely affiliated with Iran's Ministry of Intelligence and Security. It employs specialized tools and passive backdoors to gain initial access and persistent network access, particularly targeting government and telecommunications sectors in the Middle East. The group's capabilities include providing initial access for other actors, using GUI-operated malware controllers, and maintaining a diverse collection of passive implants. UNC1860's arsenal includes utilities for defense evasion, kernel-level drivers, and custom implementations of encryption methods. The actor demonstrates advanced Windows OS knowledge and reverse engineering skills, making it a formidable threat capable of supporting various objectives from espionage to network attacks.

Date

  • Created: Sept. 20, 2024, 11:10 a.m.
  • Published: Sept. 20, 2024, 11:10 a.m.
  • Modified: Sept. 20, 2024, 11:36 a.m.

Indicators

  • fe14edf4db2a9838f15aaf24a5837ffc5c901313d6fd2fe60d15401154e44406
  • fa2c5fa2814d4db288bf8733edc4f1a78cd2c72cde90f42cf5b14162ac648042
  • da450c639c9a50377233c0f195c3f6162beb253f320ed57d5c9bb9c7f0e83999
  • c3fa9432243e1a2ab1991ab4c07a19392038e6a8e817e5fea0232c4caabbb950
  • c0dc609e6fc8801bb902d14910c3ffd69d6bd5a26389836446dc4c23565ddcc7
  • a2598161e1efff623de6128ad8aafba9da0300b6f86e8c951e616bd19f0a572b
  • a052413e65e025cbefdddff6eeae91161de17ffec16d3a741dd9b7c33d392435
  • 6f0a38c9eb9171cd323b0f599b74ee571620bc3f34aa07435e7c5822663de605
  • 596b2a90c1590eaf704295a2d95aae5d2fec136e9613e059fd37de4b02fd03bb
  • 36b61f94bdfc86e736a4ee30718e0b1ee1c07279db079d48d3fe78b1578dbf03
  • 269d7faed3a01b5ff9181df32e3fdbf7f7f193cc53e4f28aa21290343e69f3cd
  • 1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e
  • 2097320e71990865f04b9484858d279875cf5c66a5f6d12c819a34e2385da838
  • f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d
  • f4639c63fb01875946a4272c3515f005d558823311d0ee4c34896c2b66122596
  • 8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330
  • e1ad173e49eee1194f2a55afa681cef7c3b8f6c26572f474dec7a42e9f0cdc9d
  • 9117bd328e37be121fb497596a2d0619a0eaca44752a1854523b8af46a5b0ceb
  • 1146b1f38e420936b7c5f6b22212f3aa93515f3738c861f499ed1047865549cb
  • 7495c1ea421063845eb8f4599a1c17c105f700ca0671ca874c5aa5aef3764c1c
  • 3875ed58c0d42e05c83843b32ed33d6ba5e94e18ffe8fb1bf34fd7dedf3f82a7
  • c5b4542d61af74cf7454d7f1c8d96218d709de38f94ccfa7c16b15f726dc08c0

Attack Patterns

  • ROADSWEEP
  • WINTAPIX
  • BABYWIPER
  • TEMPLELOCK
  • ROTPIPE
  • BASEWALK
  • SASHEYAWAY
  • STAYSHANTE
  • SPARKLOAD
  • FACEFACE
  • TEMPLEDROP
  • TOFUDRV
  • TEMPLEDOOR
  • VIROGREEN
  • OATBOAT
  • TEMPLEPLAY
  • UNC1860

Additional Informations

  • Telecommunications
  • Government
  • Albania
  • Iraq
  • Qatar
  • Saudi Arabia
  • Israel

Linked vulnerabilities