Google-owned cybersecurity firm Mandiant has shed some light on the operations of UNC1860, an Iranian threat actor believed to serve as an initial access provider to high-profile targets in the Middle East. According to Mandiant, the group is known for exploiting vulnerable internet-facing servers to breach networks and maintain long-term access, specifically targeting governmental and telecommunications sectors.
UNC1860 acts as an entry point for other threat actors such as APT34, which is suspected of collaborating with the group. Once UNC1860 establishes a foothold, typically by deploying web shells on compromised servers, it uses an array of stealthy utilities and implants that enable the threat actors to dig in the victim’s network.
The group employs malware such as StayShante and SasheyAway, used to install of more sophisticated backdoors like TempleDoor, FaceFace, and SparkLoad. TempleDoor, for instance, is a passive backdoor that gives attackers prolonged, undetected access to compromised networks. TemplePlay, another tool in the group's arsenal, acts as a controller for TempleDoor, allowing attackers to access target servers that are not directly connected to the internet.
Mandiant’s findings suggest that UNC1860's tools are specifically designed to assist other hacking groups, with the APT acting as an initial access agent for broader operations. This collaboration is underscored by the group’s use of GUI-operated malware controllers such as TemplePlay and ViroGreen, which enable remote access via RDP and allow external teams to control previously installed malware.
Additionally, UNC1860’s tactics extend beyond basic web shell deployments. Their use of custom-built frameworks, such as ViroGreen, and specialized droppers allows them to maintain a significant operational advantage. SasheyAway, in particular, has a low detection rate, making it a preferred tool for embedding passive backdoors like FaceFace and SparkLoad.
“These implants demonstrate the group’s keen understanding of the Windows operating system (OS) and network detection solutions, reverse engineering capabilities of Windows kernel components, and detection evasion capabilities,” Mandiant noted.