UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks
Tags
cmtmf-attack-pattern: Masquerading
country: Albania Iran Iraq Israel Saudi Arabia
maec-delivery-vectors: Watering Hole
attack-pattern: Data Credentials - T1589.001 Domains - T1583.001 Domains - T1584.001 Email Addresses - T1589.002 Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Server - T1583.004 Server - T1584.004 Sharepoint - T1213.002 Software - T1592.002 Web Shell - T1505.003 Tool - T1588.002 Vulnerabilities - T1588.006 Connection Proxy - T1090 Masquerading - T1036 Web Shell - T1100 Masquerading
Show in Graph
Common Information
Type Value
UUID cb4438c1-2c0b-46a7-a65a-029c66ff9fa3
Fingerprint 7d8b887125baa5a9
Analysis status DONE
Considered CTI value 2
Text language
Published Sept. 19, 2024, 2:05 p.m.
Added to db Sept. 19, 2024, 4:19 p.m.
Last updated Nov. 13, 2024, 7:21 p.m.
Headline UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks
Title UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks
Detected Hints/Tags/Attributes 99/4/47
Source URLs
Redirection Url
Details Source https://malware.news/t/unc1860-and-the-temple-of-oats-iran-s-hidden-hand-in-middle-eastern-networks/86561
URL Provider
Details Provider Source level domain
Details malware.news malware.news
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 158 Malware Analysis, News and Indicators - Latest topics https://malware.news/latest.rss 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details CVE 58 
cve-2019-0604
Details Domain 50 
cloud.google.com
Details File 1 
unc1860-temple-of-oats-fig1.max
Details File 9 
-1000x1000.png
Details File 1 
unc1860-temple-of-oats-fig2.max
Details File 1 
unc1860-temple-of-oats-fig3.max
Details File 3 
c:\programdata\1.txt
Details File 1 
unc1860-temple-of-oats-fig4.max
Details File 1 
unc1860-temple-of-oats-fig5.max
Details File 1 
unc1860-temple-of-oats-fig6.max
Details File 1 
unc1860-temple-of-oats-fig7.max
Details File 1 
unc1860-temple-of-oats-fig8.max
Details File 1 
unc1860-temple-of-oats-fig9.max
Details File 125 
ntoskrnl.exe
Details md5 2 
c517519097bff386dc1784d98ad93f9d
Details md5 2 
c57e59314aee7422e626520e495effe0
Details md5 4 
b219672bcd60ce9a81b900217b3b5864
Details md5 2 
0c93cac9854831da5f761ee98bb40c37
Details md5 2 
286bd9c2670215d3cb4790aac4552f22
Details md5 2 
b4b1e285b9f666ae7304a456da01545e
Details md5 5 
57cd8e220465aa8030755d4009d0117c
Details md5 4 
4dd6250eb2d368f500949952eb013964
Details md5 2 
8d070a93a45ed8ba6dba6bfbe0d084e7
Details md5 2 
caffdb648a0a68cd36694f0f0c7699d7
Details md5 2 
d1ce3117060e85247145c82005dda985
Details md5 2 
6d3041b89484c273376e5189e190d235
Details md5 2 
ff6f16b00c9f36b32cd60fecd4dfc8e9
Details md5 2 
a991bdbf1e36d7818d7a340a35a4ea26
Details md5 2 
952482949f495fb66e493e441229ae4b
Details sha1 2 
3f2fd2dfd27bf3cafcbf0946e308832e11a1d9c1
Details Mandiant Uncategorized Groups 26 
UNC1860
Details Microsoft Threat Actor Naming Taxonomy (Groups in development) 17 
Storm-0861
Details Threat Actor Identifier - APT 258 
APT34
Details Url 1 
https://storage.googleapis.com/gweb-cloudblog-publish/images/unc1860-temple-of-oats-fig1.max-1000x1000.png
Details Url 1 
https://storage.googleapis.com/gweb-cloudblog-publish/images/unc1860-temple-of-oats-fig2.max-1000x1000.png
Details Url 1 
https://storage.googleapis.com/gweb-cloudblog-publish/images/unc1860-temple-of-oats-fig3.max-1000x1000.png
Details Url 1 
https://storage.googleapis.com/gweb-cloudblog-publish/images/unc1860-temple-of-oats-fig4.max-1000x1000.png
Details Url 1 
https://storage.googleapis.com/gweb-cloudblog-publish/images/unc1860-temple-of-oats-fig5.max-1000x1000.png
Details Url 1 
https://storage.googleapis.com/gweb-cloudblog-publish/images/unc1860-temple-of-oats-fig6.max-1000x1000.png
Details Url 1 
https://storage.googleapis.com/gweb-cloudblog-publish/images/unc1860-temple-of-oats-fig7.max-1000x1000.png
Details Url 1 
https://storage.googleapis.com/gweb-cloudblog-publish/images/unc1860-temple-of-oats-fig8.max-1000x1000.png
Details Url 1 
https://storage.googleapis.com/gweb-cloudblog-publish/images/unc1860-temple-of-oats-fig9.max-1000x1000.png
Details Url 2 
https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks
Details Yara rule 1 
rule M_OBFUSLAY_UNC1860_1 {
	meta:
		desc = "Detects the UNC1860 OBFUSLAY malware by its 
string decryption method"
		rs1 = "b66919a18322aa4ce2ad47d149b7fe38063cd3cfa2
e4062cd1a01ad6b3e47651"
	strings:
		$a1 = { FE 09 00 00 6F ?? 00 00 0A FE 0E 00 00 FE 0C 00 00 20 02 00 00 00 5B 8D ?? 00 00 01 FE 0E 01 00 20 00 00 00 00 FE 0E 04 00 38 39 00 00 00 FE 0C 01 00 FE 0C 04 00 20 02 00 00 00 5B FE 09 00 00 FE 0C 04 00 20 02 00 00 00 6F ?? 00 00 0A 20 10 00 00 00 28 ?? 00 00 0A 9C FE 0C 04 00 20 02 00 00 00 58 FE 0E 04 00 FE 0C 04 00 FE 0C 00 00 3F BA FF FF FF FE 0C 01 00 }
	condition:
		uint16(0) == 0x5A4D and all of them
}
Details Yara rule 1 
rule M_APT_CRYPTOSLAY_UNC1860_1 {
	meta:
		desc = "Detects the UNC1860 CRYPTOSLAY malware by its 
string decryption method"
		rs1 = "3F2FD2DFD27BF3CAFCBF0946E308832E11A1D9C1
D98FB04AC848E023E6720F53"
		rs2 = "5c1a42e9baaec115df337d2f4a9dcce8d73f29375921
827e367fcba8499cdfa2"
	strings:
		$a1 = { FE 09 00 00 6F ?? 00 00 0A FE 0E 00 00 FE 0C 00 00 20 02 00 00 00 5B 8D ?? 00 00 01 FE 0E 01 00 20 00 00 00 00 FE 0E 04 00 38 39 00 00 00 FE 0C 01 00 FE 0C 04 00 20 02 00 00 00 5B FE 09 00 00 FE 0C 04 00 20 02 00 00 00 6F ?? 00 00 0A 20 10 00 00 00 28 ?? 00 00 0A 9C FE 0C 04 00 20 02 00 00 00 58 FE 0E 04 00 FE 0C 04 00 FE 0C 00 00 3F BA FF FF FF 28 ?? 00 00 0A }
		$a2 = { FE 09 00 00 6F ?? 00 00 0A FE 0E 00 00 FE 0C 00 00 20 02 00 00 00 5B 8D ?? 00 00 01 FE 0E 01 00 20 00 00 00 00 FE 0E 06 00 38 39 00 00 00 FE 0C 01 00 FE 0C 06 00 20 02 00 00 00 5B FE 09 00 00 FE 0C 06 00 20 02 00 00 00 6F ?? 00 00 0A 20 10 00 00 00 28 ?? 00 00 0A 9C FE 0C 06 00 20 02 00 00 00 58 FE 0E 06 00 FE 0C 06 00 FE 0C 00 00 FE 04 FE 0E 07 00 FE 0C 07 00 3A B0 FF FF FF }
	condition:
		uint16(0) == 0x5A4D and any of them
}
Details Yara rule 1 
rule M_Autopatt_DropperMemonly_OATBOAT_1 {
	meta:
		author = "autopatt"
		description = "oatboat malware family"
		created = "02/09/2024"
		modified = "02/09/2024"
		version = "1.0"
		test_hash = "6f0a38c9eb9171cd323b0f599b74ee571
620bc3f34aa07435e7c5822663de605"
		filetypes = "exe,dll"
		dighash_cov_0 = "[[\"10a0654cddaedc8bfee4\", 3], 
[\"aa6b664471b41b27e9a8\", 3]]"
		target_set = "filemd5 +code(\"oatboat\")  
;; +filemime=\"application/x-dosexec\" -pe:framework=dotnet +limit(2000)"
		target_set_size = 7
		validation_set = "filemd5 +code(\"oatboat\"); filemd5 
+sig(\"mal.oatboat\")  ;; +filemime=\"application/x-dosexec\" 
-pe:framework=dotnet +limit(2000)"
		validation_set_approx_size = 9
	strings:
		$p00_0 = { 48 89 7C 24 ?? 55 48 8B EC 48 83 EC ?? 48 8B F9 C7 45 [5] 33 DB C7 45 [5] 48 8D 4D }
		$p00_1 = { 44 3A C9 75 ?? 48 FF C6 48 83 C3 ?? 49 3B F3 72 ?? 49 8B 42 ?? 48 85 C0 75 }
	condition:
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (($p00_0 in (250 .. 6500) and $p00_1 in (0 .. 6000)))
}
Details Yara rule 1 
rule SASHEYAWAY_Strings_1 {
	meta:
		desc = "Strings observed in the webshell loader"
		rs1 = "2538767f13218503bccf31fccb74e753199
4b69a36a3780b53ba5020d938af20"
	strings:
		$ = "FromBase64String"
		$ = "Page Language=\"C#\""
		$ = "private static System.Reflection.Assembly"
		$ = "Page_Load"
		$ = "System.Reflection.MethodInfo"
		$ = "Activator.CreateInstance"
		$ = "Invoke"
	condition:
		all of them
}