An Iran-supported threat actor has been observed deploying two malware threats, GRAMDOOR and STARWHAL, against an unnamed Middle East government and tech entities. The malware, first used in November 2021, comes with simple backdoor features.

How does the attack unfold?

Security firm Mandiant has associated the recent attack to an unclassified cluster of activities tracked as UNC3313. 
UNC3313 carries out surveillance and gathers strategic info to support Iranian decision-making and interests.
  • The ongoing attacks use spear-phishing emails for initial access and publicly available remote access software and offensive security tools for lateral movement and managing access.
  • The emails contain job promotion-related lures and deceive victims into clicking a URL to download a RAR archive file hosted on OneHub.
  • The archive file contains ScreenConnect, which is used by hackers to gain a foothold on compromised systems.
  • The UNC3313 group moves quickly to gain remote access by using ScreenConnect to intrude systems within an hour of initial compromise. Moreover, the group also utilizes the eHorus remote access tool.

The post-infection story

After the initial foothold, the attackers use several additional tools and tactics.
  • The attack includes an implant named GRAMDOOR, which uses Telegram API for its network communications with the attacker-controlled server to evade detection and facilitate the exfiltration of data.
  • Additionally, a previously unknown backdoor STARWHALE is used in the campaign that uses a Windows Script File to execute and receive commands from a hardcoded C2 server.
  • Further stages of attack included escalating privileges, internal reconnaissance on the targeted network, and running obfuscated PowerShell commands to download extra tools and payloads.
  • The group used CRACKMAPEXEC, LIGOLO, WMIEXEC, and RDP for lateral movement. For internal reconnaissance WHOAMI, IPCONFIG, and CRACKMAPEXEC were used.

Conclusion

The use of Telegram API for C2, legitimate remote access software, and publicly available tools shows the effort put in by the UNC3313 group to stay hidden. To stay protected, organizations are recommended to make use of provided IOCs for better and faster detection. Further, the security firm has also provided YARA rules to identify malware patterns.

Cyware Publisher

Publisher

Cyware