Security Affairs
Dutch Nationals Suspected in Odido Hack That Exposed Six Million Customers|Australia Alerts Organizations to Ongoing CMS Exploitation Attacks|Ryuk Ransomware Member Pleads Guilty Over Attacks on U.S. Organizations|Progress Told ShareFile Customers to Pull the Plug on Their Servers. Here’s What We Know.|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 105|Security Affairs newsletter Round 585 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. CISA adds iCagenda and Balbooa Forms flaws to its Known Exploited Vulnerabilities catalog|Critical U-Boot Bugs Undermine Secure Boot on Millions of Devices|Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes|Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018|222 GitHub Repositories Linked to Fake Go Package Malware Operation|Former Ransomware Negotiator Sentenced to 70 Months in Prison for Secretly Helping BlackCat Gang|Dutch Nationals Suspected in Odido Hack That Exposed Six Million Customers|Australia Alerts Organizations to Ongoing CMS Exploitation Attacks|Ryuk Ransomware Member Pleads Guilty Over Attacks on U.S. Organizations|Progress Told ShareFile Customers to Pull the Plug on Their Servers. Here’s What We Know.|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 105|Security Affairs newsletter Round 585 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. CISA adds iCagenda and Balbooa Forms flaws to its Known Exploited Vulnerabilities catalog|Critical U-Boot Bugs Undermine Secure Boot on Millions of Devices|Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes|Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018|222 GitHub Repositories Linked to Fake Go Package Malware Operation|Former Ransomware Negotiator Sentenced to 70 Months in Prison for Secretly Helping BlackCat Gang|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Iran-linked UNC3313 APT employed two custom backdoors against a Middle East gov entity

An Iran-linked threat actor, tracked as UNC3313, was observed using two custom backdoor against an unnamed Middle East government entity. UNC3313 is an Iran-linked threat actor that was linked with “moderate confidence” to the MuddyWater nation-state actor (aka Static Kitten, Seedworm, TEMP.Zagros, or Mercury) by cybersecurity firm Mandiant. UNC3313 was observed deploying two new custom […]

UNC3313

An Iran-linked threat actor, tracked as UNC3313, was observed using two custom backdoor against an unnamed Middle East government entity.

UNC3313 is an Iran-linked threat actor that was linked with “moderate confidence” to the MuddyWater nation-state actor (aka Static Kitten, Seedworm, TEMP.Zagros, or Mercury) by cybersecurity firm Mandiant.

UNC3313 was observed deploying two new custom backdoors, tracked as GRAMDOOR and STARWHALE, as part of an attack against an unnamed government entity in the Middle East in November 2021.

The APT group gained access to the organizations through spear-phishing attacks, it also leveraged publicly available tools to maintain remote access to the target’s environment.

“In November 2021, Mandiant Managed Defense detected and responded to an UNC3313 intrusion at a Middle East government customer. During the investigation, Mandiant identified new targeted malware, GRAMDOOR and STARWHALE, which implement simple backdoor functionalities.” reads the analysis published by Mandiant. “UNC3313 initially gained access to this organization through a targeted phishing email and leveraged modified, open-source offensive security tools to identify accessible systems and move laterally.”

UNC3313 was observed establishing remote access by using ScreenConnect which allowed the group to infiltrate systems within an hour of initial compromise. Mandiant pointed out that it was able to quickly contain and remediate the intrusion.

The phishing messages masqueraded as a job promotion attempted to trick victims into clicking a URL pointing to a RAR archive file hosted on cloud storage service OneHub. The archive contained a Windows Installer .msi file that was used to install ScreenConnect remote access software to establish a foothold

In the successive phases, threat actors escalated privileges, carried out internal reconnaissance, and attempted to download additional tools and payloads by running obfuscated PowerShell commands.

The STARWHALE backdoor is a Windows Script File (.WSF) that executes commands received commands from a hardcoded command-and-control (C2) server. STARWHALE communicates with the C2 server via HTTP.

The second implant discovered by the expert is GRAMDOOR, the comes from its capability to use the Telegram Bot API for communication. 

The backdoor sends and receives messages from a Telegram chat room under the control of the group.

GRAMDOOR is deployed as an NSIS installer and achieved persistence by setting the Windows Run registry key.

UNC3313

The analysis includes Indicators of compromise for this attack.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, UNC3313)

[adrotate banner=”5″]

[adrotate banner=”13″]