Pierluigi Paganini February 28, 2022

An Iran-linked threat actor, tracked as UNC3313, was observed using two custom backdoor against an unnamed Middle East government entity.

UNC3313 is an Iran-linked threat actor that was linked with “moderate confidence” to the MuddyWater nation-state actor (aka Static Kitten, Seedworm, TEMP.Zagros, or Mercury) by cybersecurity firm Mandiant.

UNC3313 was observed deploying two new custom backdoors, tracked as GRAMDOOR and STARWHALE, as part of an attack against an unnamed government entity in the Middle East in November 2021.

The APT group gained access to the organizations through spear-phishing attacks, it also leveraged publicly available tools to maintain remote access to the target’s environment.

“In November 2021, Mandiant Managed Defense detected and responded to an UNC3313 intrusion at a Middle East government customer. During the investigation, Mandiant identified new targeted malware, GRAMDOOR and STARWHALE, which implement simple backdoor functionalities.” reads the analysis published by Mandiant. “UNC3313 initially gained access to this organization through a targeted phishing email and leveraged modified, open-source offensive security tools to identify accessible systems and move laterally.”

UNC3313 was observed establishing remote access by using ScreenConnect which allowed the group to infiltrate systems within an hour of initial compromise. Mandiant pointed out that it was able to quickly contain and remediate the intrusion.

The phishing messages masqueraded as a job promotion attempted to trick victims into clicking a URL pointing to a RAR archive file hosted on cloud storage service OneHub. The archive contained a Windows Installer .msi file that was used to install ScreenConnect remote access software to establish a foothold

In the successive phases, threat actors escalated privileges, carried out internal reconnaissance, and attempted to download additional tools and payloads by running obfuscated PowerShell commands.

The STARWHALE backdoor is a Windows Script File (.WSF) that executes commands received commands from a hardcoded command-and-control (C2) server. STARWHALE communicates with the C2 server via HTTP.

The second implant discovered by the expert is GRAMDOOR, the comes from its capability to use the Telegram Bot API for communication. 

The backdoor sends and receives messages from a Telegram chat room under the control of the group.

GRAMDOOR is deployed as an NSIS installer and achieved persistence by setting the Windows Run registry key.

The analysis includes Indicators of compromise for this attack.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, UNC3313)

[adrotate banner=”5″]

[adrotate banner=”13″]