Pages

Thursday, September 19, 2024

2024-09-19 UNC1860 Iran APT - Temple of Oats ( OATBOAT, TEMPLEDOOR, SASHEYAWAY, OBFUSLAY, WINTAPIX, CRYPTOSLAY) Samples


 2024-09-19 Mandiant: UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks

UNC1860 is an Iranian state-sponsored threat actor, likely affiliated with the Ministry of Intelligence and Security (MOIS), known for its persistent and stealthy operations. It employs a variety of specialized tools, passive backdoors, and custom utilities to target high-priority networks, such as government and telecommunications entities in the Middle East.

Passive Implants: UNC1860 relies on custom-made passive backdoors like TOFULOAD and WINTAPIX, which leverage undocumented Input/Output Control (IOCTL) commands for communication, bypassing standard detection mechanisms used by EDR systems. These implants operate without initiating outbound traffic, making them difficult to detect through traditional network monitoring tools.

Windows Kernel Driver: UNC1860 repurposed a legitimate Iranian antivirus kernel mode driver, Sheed AV, for stealthy persistence. This driver is used in TEMPLEDROP, a passive backdoor that protects its own files and other malware it deploys, preventing modification and enhancing its evasion capabilities.

Obfuscation and Encryption: The group implements custom XOR encryption and Base64 encoding/decoding libraries to avoid detection. For example, XORO, a rolling encryption module (MD5: 57cd8e220465aa8030755d4009d0117c), is used in several utilities such as TANKSHELL and TEMPLEPLAY. These encryption methods, although simple, are tailored to evade standard detection signatures.

TEMPLEPLAY and VIROGREEN Controllers: These GUI-operated malware controllers allow UNC1860 or third-party actors to manage compromised systems easily. They provide features such as:

Command execution via the Command Prompt Tab.

File transfer through Upload and Download Tabs.

Using infected systems as middleboxes through the Http Proxy Tab, facilitating RDP connections even in restricted environments.

Web Shells and Droppers: Web shells like STAYSHANTE and SASHEYAWAY are frequently deployed after initial access is achieved. These shells enable further persistence by deploying full passive backdoors, such as TEMPLEDOOR and FACEFACE, which can execute commands, transfer files, and interact with system services.

Multi-stage Implants: UNC1860 maintains a suite of "main-stage" implants with advanced capabilities, reserved for high-value targets. These implants, such as TOFULOAD and TEMPLEDROP, demonstrate the group's deep understanding of Windows kernel components and its ability to bypass security measures like kernel protections.

Reverse Engineering and Evasion: UNC1860 exhibits strong reverse engineering skills, especially evident in their repurposing of legitimate software like Windows file system filter drivers. This allows the group to manipulate system components for stealthy operations, using advanced evasion techniques like terminating Windows Event Log service threads and restarting them as needed.

Download
File Information
  • ├── ALL_LISTED
  • │   └── 
  • │       ├── 0969f7f5556e3babd7050308a29fa2987dce01b3c94959724c9cd49bce052d80
  • │       ├── 1146b1f38e420936b7c5f6b22212f3aa93515f3738c861f499ed1047865549cb
  • │       ├── 1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e
  • │       ├── 159eecbba87a7397a5b84a21c289ae66ec776a3fd3b41bf11549fb621afebc0a
  • │       ├── 1786916c1e3b16ce654497861fe43bb595ea0f0fa0fad4cd62f3edc82f9a27d4
  • │       ├── 1c57b1ed990a8946e86d69da2a047fa15525d883b86e93cb6444a4065dbad362
  • │       ├── 2097320e71990865f04b9484858d279875cf5c66a5f6d12c819a34e2385da838
  • │       ├── 23a9abed7c4a76a5cacf1e984ecf3cce91c3c1bbf4424c4b2ee141b4154c3703
  • │       ├── 2538767f13218503bccf31fccb74e7531994b69a36a3780b53ba5020d938af20
  • │       ├── 269d7faed3a01b5ff9181df32e3fdbf7f7f193cc53e4f28aa21290343e69f3cd
  • │       ├── 3269de107e436a75a8308377709dc49b4893cfd137a3fc5b92d0f0590af4cb12
  • │       ├── 359d826ff025c5e4971d90be0d7dfebe10fc125f6dcaa2f0e9869e9f6bec4432
  • │       ├── 36b61f94bdfc86e736a4ee30718e0b1ee1c07279db079d48d3fe78b1578dbf03
  • │       ├── 3875ed58c0d42e05c83843b32ed33d6ba5e94e18ffe8fb1bf34fd7dedf3f82a7
  • │       ├── 58cb1ef132fbdd1855f75c2886666275d1bb75a9fb3fed88d05feee4230afd32
  • │       ├── 59463257c3f2425109fd097f814b6468663df947de8178c8cd7b7c5e94d3375c
  • │       ├── 596b2a90c1590eaf704295a2d95aae5d2fec136e9613e059fd37de4b02fd03bb
  • │       ├── 5cb88ec4eca35c41dbf32218c0f031e75e4c24a17cabe9eea2aa06efa5982967
  • │       ├── 67560e05383e38b2fcc30df84f0792ad095d5594838087076b214d849cde9542
  • │       ├── 6f0a38c9eb9171cd323b0f599b74ee571620bc3f34aa07435e7c5822663de605
  • │       ├── 6f938caeefa0aea3b8301e07bf918a49408cd319187d05ac519b20a00f460469
  • │       ├── 71106875c37bf5b92ef25c7bc1d607ae349aa85bbb2e92a39165a8a8f8f6eb0e
  • │       ├── 7495c1ea421063845eb8f4599a1c17c105f700ca0671ca874c5aa5aef3764c1c
  • │       ├── 786298c0d98aaf35777738a43a41546c6c8b1972b9bd601fb6cccf2c8f539ae4
  • │       ├── 7a1fee8d879bc16e63d05c79c5419bd19ee308c54831d7ee196cfa8281498a06
  • │       ├── 8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330
  • │       ├── 8e4f7a19b09e118ebda79726bf17e9d37ff4b66f4143762dd97ca80340388963
  • │       ├── 8fdd00243ba68cadd175af0cbaf860218e08f42e715a998d6183d7c7462a3b5b
  • │       ├── 90b3f7fefe8e11b8eacaba09a3c14ed6aa66a4c8d798440d912d0a663917a265
  • │       ├── 9117bd328e37be121fb497596a2d0619a0eaca44752a1854523b8af46a5b0ceb
  • │       ├── 9483f5eb9133c353cef636ef9fcc29e2c7bf658881574211ee142c93c523efaf
  • │       ├── a052413e65e025cbefdddff6eeae91161de17ffec16d3a741dd9b7c33d392435
  • │       ├── a2598161e1efff623de6128ad8aafba9da0300b6f86e8c951e616bd19f0a572b
  • │       ├── a375f98aa21377ed0c59b4c7121ac93763157e39d8235fb5ce77f88dee0e2ee4
  • │       ├── a650a90c1b505989b7e81bfb310d7e2013a380ab26f99622de158c58b1d0fbbf
  • │       ├── ac7b01e01de0dc289cd649aa5072243f2036bd8d2d0152b6d9874c2ccaaf1e5d
  • │       ├── b65bcba449d74e4395421aeb4012c9e509acb5e8153ff3dc9f01fd97a5cc2711
  • │       ├── b66919a18322aa4ce2ad47d149b7fe38063cd3cfa2e4062cd1a01ad6b3e47651
  • │       ├── ba3efa7d61e79cf62eeb0c65e803a6353f3012a89e0d910c2292801da43c8a93
  • │       ├── c0dc609e6fc8801bb902d14910c3ffd69d6bd5a26389836446dc4c23565ddcc7
  • │       ├── c3fa9432243e1a2ab1991ab4c07a19392038e6a8e817e5fea0232c4caabbb950
  • │       ├── c5b4542d61af74cf7454d7f1c8d96218d709de38f94ccfa7c16b15f726dc08c0
  • │       ├── ce59bbe3ef7e16423718de50639d2278eab9c1f08f998677ba6fbd36695f316a
  • │       ├── da450c639c9a50377233c0f195c3f6162beb253f320ed57d5c9bb9c7f0e83999
  • │       ├── daa362f070ba121b9a2fa3567abc345edcde33c54cabefa71dd2faad78c10c33
  • │       ├── e17510e9fad082426920e6e6d94df7c1314ecc3ab041aa8e19d18140f5a0cc21
  • │       ├── e1ad173e49eee1194f2a55afa681cef7c3b8f6c26572f474dec7a42e9f0cdc9d
  • │       ├── e26fbbeea2e152b3769126714c52112d04c4f2310461fb842bf2532e7903ce51
  • │       ├── e416fc85dbeefdff0f172b406c2f1fcdb90a895fa99c4eb66bcbe5c159f07b82
  • │       ├── e579a55f5415f891095a7488e2dd250da7f2ccadc27c3d1280f13fea4263a97b
  • │       ├── e984b40c4c6909813ed9f0ea5de8f4f7cac40f0e8b9fb5041f4a568e307e5712
  • │       ├── eafb31f3ab90246d099e58f5fb950f58effa583f1e3caabc451dfabaf0d200e1
  • │       ├── ed3745f82c7873adca16833b718e20090ac6a8c74e7004b854af29ef1551de75
  • │       ├── f42ebd85c4d0ab6573a856049ac9c892c037a0ec8f39e54153dd439616883390
  • │       ├── f4639c63fb01875946a4272c3515f005d558823311d0ee4c34896c2b66122596
  • │       ├── f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d
  • │       ├── fa2c5fa2814d4db288bf8733edc4f1a78cd2c72cde90f42cf5b14162ac648042
  • │       ├── fe14edf4db2a9838f15aaf24a5837ffc5c901313d6fd2fe60d15401154e44406
  • │       ├── ff51aa6cad655ddd99a525b78419cd746453fb2adcb689ba34ca3ab6e78b1347
  • │       └── ffb6acd2715dd988fe3c3fdbd7d45159f8e5b529eea506a856109a8696e93a80
  • ├── OATBOAT
  • │   ├── 1146b1f38e420936b7c5f6b22212f3aa93515f3738c861f499ed1047865549cb_ file.None.0xfffffa80237c4010.img_OATBOAT with TOFULOAD shellcode
  • │   ├── 3875ed58c0d42e05c83843b32ed33d6ba5e94e18ffe8fb1bf34fd7dedf3f82a7_systemre.exe_OATBOAT with TOFULOAD shellcode
  • │   ├── 6f0a38c9eb9171cd323b0f599b74ee571620bc3f34aa07435e7c5822663de605_CyveraConsole.exe_OATBOAT that contains encrypted shellcode of TOFULOAD
  • │   ├── 7495c1ea421063845eb8f4599a1c17c105f700ca0671ca874c5aa5aef3764c1c_ cct.exe_OATBOAT with TOFULOAD shellcode
  • │   ├── 9117bd328e37be121fb497596a2d0619a0eaca44752a1854523b8af46a5b0ceb_ wlbsctrl.dll_OATBOAT loading shellcode
  • │   ├── a2598161e1efff623de6128ad8aafba9da0300b6f86e8c951e616bd19f0a572b_CyveraConsole.exe_OATBOAT that contains encrypted shellcode of TOFULOAD
  • │   ├── c5b4542d61af74cf7454d7f1c8d96218d709de38f94ccfa7c16b15f726dc08c0_OATBOAT that contains an encrypted TOFULOAD_dll_
  • │   └── e1ad173e49eee1194f2a55afa681cef7c3b8f6c26572f474dec7a42e9f0cdc9d_CyveraConsole.exe_OATBOAT that contains encrypted TOFUPIPE shellcode
  • ├── SHEED AV
  • │   └── b25455b3f51c0ca0bf5014d043e05fe8ab7621a465677a17390fbc47e4ffbc2f_get-graphics-offsets32.exe_
  • ├── TEMPLEDOOR
  • │   ├── 786298c0d98aaf35777738a43a41546c6c8b1972b9bd601fb6cccf2c8f539ae4_System.dll_
  • │   ├── 86279d261e8bbb74f739de8f9755551dbcb32fafa41401a484ed2ea59742604e_System.dll_
  • │   └── b25455b3f51c0ca0bf5014d043e05fe8ab7621a465677a17390fbc47e4ffbc2f_Templedoor certificate
  • └── XORO
  •     ├── 269d7faed3a01b5ff9181df32e3fdbf7f7f193cc53e4f28aa21290343e69f3cd_EncryptionModule

    Yara Rules Hits on the Samples listed above: 
    M_UNC1860_TEMPLEDOOR_BytePatterns_1 TEMPLEDOOR 86279d261e8bbb74f739de8f9755551dbcb32fafa41401a484ed2ea59742604e_System.dll_
    M_UNC1860_TEMPLEDOOR_BytePatterns_1 TEMPLEDOOR 786298c0d98aaf35777738a43a41546c6c8b1972b9bd601fb6cccf2c8f539ae4_System.dll_
    SASHEYAWAY_Strings_1 a650a90c1b505989b7e81bfb310d7e2013a380ab26f99622de158c58b1d0fbbf
    M_UNC1860_TEMPLEDOOR_BytePatterns_1 786298c0d98aaf35777738a43a41546c6c8b1972b9bd601fb6cccf2c8f539ae4
    M_OBFUSLAY_UNC1860_1 e17510e9fad082426920e6e6d94df7c1314ecc3ab041aa8e19d18140f5a0cc21
    M_OBFUSLAY_UNC1860_1 fa2c5fa2814d4db288bf8733edc4f1a78cd2c72cde90f42cf5b14162ac648042
    SASHEYAWAY_Strings_1 9483f5eb9133c353cef636ef9fcc29e2c7bf658881574211ee142c93c523efaf
    SASHEYAWAY_Strings_1 67560e05383e38b2fcc30df84f0792ad095d5594838087076b214d849cde9542
    SASHEYAWAY_Strings_1 8e4f7a19b09e118ebda79726bf17e9d37ff4b66f4143762dd97ca80340388963
    M_Hunting_Backdoor_TOFULOAD_1 e26fbbeea2e152b3769126714c52112d04c4f2310461fb842bf2532e7903ce51
    M_Autopatt_DropperMemonly_WINTAPIX_1 8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330
    M_OBFUSLAY_UNC1860_1 59463257c3f2425109fd097f814b6468663df947de8178c8cd7b7c5e94d3375c
    M_APT_CRYPTOSLAY_UNC1860_1 1c57b1ed990a8946e86d69da2a047fa15525d883b86e93cb6444a4065dbad362
    M_Hunting_Backdoor_TOFULOAD_1 da450c639c9a50377233c0f195c3f6162beb253f320ed57d5c9bb9c7f0e83999
    SASHEYAWAY_Strings_1 58cb1ef132fbdd1855f75c2886666275d1bb75a9fb3fed88d05feee4230afd32
    SASHEYAWAY_Strings_1 ac7b01e01de0dc289cd649aa5072243f2036bd8d2d0152b6d9874c2ccaaf1e5d
    M_WINTAPIX_StringDecodingMethod_1 a375f98aa21377ed0c59b4c7121ac93763157e39d8235fb5ce77f88dee0e2ee4
    M_WINTAPIX_PaddedStrings_1 a375f98aa21377ed0c59b4c7121ac93763157e39d8235fb5ce77f88dee0e2ee4
    SASHEYAWAY_Strings_1 2538767f13218503bccf31fccb74e7531994b69a36a3780b53ba5020d938af20
    M_OBFUSLAY_UNC1860_1 ba3efa7d61e79cf62eeb0c65e803a6353f3012a89e0d910c2292801da43c8a93
    M_OBFUSLAY_UNC1860_1 b66919a18322aa4ce2ad47d149b7fe38063cd3cfa2e4062cd1a01ad6b3e47651
    M_OBFUSLAY_UNC1860_1 159eecbba87a7397a5b84a21c289ae66ec776a3fd3b41bf11549fb621afebc0a
    M_OBFUSLAY_UNC1860_1 ce59bbe3ef7e16423718de50639d2278eab9c1f08f998677ba6fbd36695f316a
    SASHEYAWAY_Strings_1 b65bcba449d74e4395421aeb4012c9e509acb5e8153ff3dc9f01fd97a5cc2711
    SASHEYAWAY_Strings_1 ed3745f82c7873adca16833b718e20090ac6a8c74e7004b854af29ef1551de75
    M_WINTAPIX_StringDecodingMethod_1 f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d
    M_WINTAPIX_PaddedStrings_1 f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d
Malware Repo Links
    Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.

1 comment:

  1. Hi, could you please search for viruses from the DarkShades family?
    It would be interesting to read about them and see his samples!

    ReplyDelete