UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks | Google Cloud Blog
Common Information
Type Value
UUID c7b22a23-05ac-401f-b350-63b8154af5d5
Fingerprint 7d83887125baa5a9
Analysis status DONE
Considered CTI value 2
Text language
Published Sept. 19, 2024, midnight
Added to db Sept. 19, 2024, 4:15 p.m.
Last updated Nov. 13, 2024, 7:21 p.m.
Headline UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks
Title UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks | Google Cloud Blog
Detected Hints/Tags/Attributes 100/4/26
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 99 Cyware News - Latest Cyber News https://cyware.com/allnews/feed 2024-08-30 22:08
Details 330 Threat Intelligence https://www.mandiant.com/resources/blog/rss.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details CVE 58
cve-2019-0604
Details File 3
c:\programdata\1.txt
Details File 125
ntoskrnl.exe
Details md5 2
c517519097bff386dc1784d98ad93f9d
Details md5 2
c57e59314aee7422e626520e495effe0
Details md5 4
b219672bcd60ce9a81b900217b3b5864
Details md5 2
0c93cac9854831da5f761ee98bb40c37
Details md5 2
286bd9c2670215d3cb4790aac4552f22
Details md5 2
b4b1e285b9f666ae7304a456da01545e
Details md5 5
57cd8e220465aa8030755d4009d0117c
Details md5 4
4dd6250eb2d368f500949952eb013964
Details md5 2
8d070a93a45ed8ba6dba6bfbe0d084e7
Details md5 2
caffdb648a0a68cd36694f0f0c7699d7
Details md5 2
d1ce3117060e85247145c82005dda985
Details md5 2
6d3041b89484c273376e5189e190d235
Details md5 2
ff6f16b00c9f36b32cd60fecd4dfc8e9
Details md5 2
a991bdbf1e36d7818d7a340a35a4ea26
Details md5 2
952482949f495fb66e493e441229ae4b
Details sha1 2
3f2fd2dfd27bf3cafcbf0946e308832e11a1d9c1
Details Mandiant Uncategorized Groups 26
UNC1860
Details Microsoft Threat Actor Naming Taxonomy (Groups in development) 17
Storm-0861
Details Threat Actor Identifier - APT 258
APT34
Details Yara rule 1
rule M_OBFUSLAY_UNC1860_1 {
	meta:
		desc = "Detects the UNC1860 OBFUSLAY malware by its 
string decryption method"
		rs1 = "b66919a18322aa4ce2ad47d149b7fe38063cd3cfa2
e4062cd1a01ad6b3e47651"
	strings:
		$a1 = { FE 09 00 00 6F ?? 00 00 0A FE 0E 00 00 FE 0C 00 00 20 02 00 00 00 5B 8D ?? 00 00 01 FE 0E 01 00 20 00 00 00 00 FE 0E 04 00 38 39 00 00 00 FE 0C 01 00 FE 0C 04 00 20 02 00 00 00 5B FE 09 00 00 FE 0C 04 00 20 02 00 00 00 6F ?? 00 00 0A 20 10 00 00 00 28 ?? 00 00 0A 9C FE 0C 04 00 20 02 00 00 00 58 FE 0E 04 00 FE 0C 04 00 FE 0C 00 00 3F BA FF FF FF FE 0C 01 00 }
	condition:
		uint16(0) == 0x5A4D and all of them
}
Details Yara rule 1
rule M_APT_CRYPTOSLAY_UNC1860_1 {
	meta:
		desc = "Detects the UNC1860 CRYPTOSLAY malware by its 
string decryption method"
		rs1 = "3F2FD2DFD27BF3CAFCBF0946E308832E11A1D9C1
D98FB04AC848E023E6720F53"
		rs2 = "5c1a42e9baaec115df337d2f4a9dcce8d73f29375921
827e367fcba8499cdfa2"
	strings:
		$a1 = { FE 09 00 00 6F ?? 00 00 0A FE 0E 00 00 FE 0C 00 00 20 02 00 00 00 5B 8D ?? 00 00 01 FE 0E 01 00 20 00 00 00 00 FE 0E 04 00 38 39 00 00 00 FE 0C 01 00 FE 0C 04 00 20 02 00 00 00 5B FE 09 00 00 FE 0C 04 00 20 02 00 00 00 6F ?? 00 00 0A 20 10 00 00 00 28 ?? 00 00 0A 9C FE 0C 04 00 20 02 00 00 00 58 FE 0E 04 00 FE 0C 04 00 FE 0C 00 00 3F BA FF FF FF 28 ?? 00 00 0A }
		$a2 = { FE 09 00 00 6F ?? 00 00 0A FE 0E 00 00 FE 0C 00 00 20 02 00 00 00 5B 8D ?? 00 00 01 FE 0E 01 00 20 00 00 00 00 FE 0E 06 00 38 39 00 00 00 FE 0C 01 00 FE 0C 06 00 20 02 00 00 00 5B FE 09 00 00 FE 0C 06 00 20 02 00 00 00 6F ?? 00 00 0A 20 10 00 00 00 28 ?? 00 00 0A 9C FE 0C 06 00 20 02 00 00 00 58 FE 0E 06 00 FE 0C 06 00 FE 0C 00 00 FE 04 FE 0E 07 00 FE 0C 07 00 3A B0 FF FF FF }
	condition:
		uint16(0) == 0x5A4D and any of them
}
Details Yara rule 1
rule M_Autopatt_DropperMemonly_OATBOAT_1 {
	meta:
		author = "autopatt"
		description = "oatboat malware family"
		created = "02/09/2024"
		modified = "02/09/2024"
		version = "1.0"
		test_hash = "6f0a38c9eb9171cd323b0f599b74ee571
620bc3f34aa07435e7c5822663de605"
		filetypes = "exe,dll"
		dighash_cov_0 = "[[\"10a0654cddaedc8bfee4\", 3], 
[\"aa6b664471b41b27e9a8\", 3]]"
		target_set = "filemd5 +code(\"oatboat\")  
;; +filemime=\"application/x-dosexec\" -pe:framework=dotnet +limit(2000)"
		target_set_size = 7
		validation_set = "filemd5 +code(\"oatboat\"); filemd5 
+sig(\"mal.oatboat\")  ;; +filemime=\"application/x-dosexec\" 
-pe:framework=dotnet +limit(2000)"
		validation_set_approx_size = 9
	strings:
		$p00_0 = { 48 89 7C 24 ?? 55 48 8B EC 48 83 EC ?? 48 8B F9 C7 45 [5] 33 DB C7 45 [5] 48 8D 4D }
		$p00_1 = { 44 3A C9 75 ?? 48 FF C6 48 83 C3 ?? 49 3B F3 72 ?? 49 8B 42 ?? 48 85 C0 75 }
	condition:
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (($p00_0 in (250 .. 6500) and $p00_1 in (0 .. 6000)))
}
Details Yara rule 1
rule SASHEYAWAY_Strings_1 {
	meta:
		desc = "Strings observed in the webshell loader"
		rs1 = "2538767f13218503bccf31fccb74e753199
4b69a36a3780b53ba5020d938af20"
	strings:
		$ = "FromBase64String"
		$ = "Page Language=\"C#\""
		$ = "private static System.Reflection.Assembly"
		$ = "Page_Load"
		$ = "System.Reflection.MethodInfo"
		$ = "Activator.CreateInstance"
		$ = "Invoke"
	condition:
		all of them
}