Iranian Hackers Introduce New Malware to Target Middle East

How does the attack unfold?

• The ongoing attacks use spear-phishing emails for initial access and publicly available remote access software and offensive security tools for lateral movement and managing access.
• The emails contain job promotion-related lures and deceive victims into clicking a URL to download a RAR archive file hosted on OneHub.
• The archive file contains ScreenConnect, which is used by hackers to gain a foothold on compromised systems.
• The UNC3313 group moves quickly to gain remote access by using ScreenConnect to intrude systems within an hour of initial compromise. Moreover, the group also utilizes the eHorus remote access tool.

The post-infection story

• The attack includes an implant named GRAMDOOR, which uses Telegram API for its network communications with the attacker-controlled server to evade detection and facilitate the exfiltration of data.
• Additionally, a previously unknown backdoor STARWHALE is used in the campaign that uses a Windows Script File to execute and receive commands from a hardcoded C2 server.
• Further stages of attack included escalating privileges, internal reconnaissance on the targeted network, and running obfuscated PowerShell commands to download extra tools and payloads.
• The group used CRACKMAPEXEC, LIGOLO, WMIEXEC, and RDP for lateral movement. For internal reconnaissance WHOAMI, IPCONFIG, and CRACKMAPEXEC were used.

Conclusion