2024-09-19 UNC1860伊朗APT组织 - Temple of Oats(OATBOAT、TEMPLEDOOR、SASHEYAWAY、OBFUSLAY、WINTAPIX、CRYPTOSLAY)样本分析
威胁组织概述
UNC1860是一个伊朗国家支持的威胁行为者,很可能隶属于情报与安全部(MOIS),以其持久且隐秘的操作而闻名。该组织采用各种专门工具、被动后门和自定义实用程序来攻击高优先级网络,如中东地区的政府和电信实体。
技术能力分析
被动植入程序
UNC1860依赖定制被动后门,如TOFULOAD和WINTAPIX,这些后门利用未记录的输入/输出控制(IOCTL)命令进行通信,绕过了EDR系统使用的标准检测机制。这些植入程序在运行时不发起出站流量,使得通过传统网络监控工具难以检测。
Windows内核驱动
UNC1860重新利用了一个合法的伊朗防病毒内核模式驱动程序Sheed AV来实现隐秘持久化。该驱动程序用于TEMPLEDROP被动后门,保护其自身文件和其他部署的恶意软件,防止修改并增强其规避能力。
混淆和加密技术
该组织实施自定义XOR加密和Base64编码/解码库以避免检测。例如,XORO(一个滚动加密模块,MD5:57cd8e220465aa8030755d4009d0117c)在多个实用程序中使用,如TANKSHELL和TEMPLEPLAY。这些加密方法虽然简单,但经过定制以规避标准检测签名。
TEMPLEPLAY和VIROGREEN控制器
这些GUI操作的恶意软件控制器允许UNC1860或第三方行为者轻松管理受感染系统。它们提供以下功能:
- 通过命令提示符选项卡执行命令
- 通过上传和下载选项卡进行文件传输
- 通过Http代理选项卡将受感染系统用作中间盒,即使在受限环境中也能促进RDP连接
Web Shell和投放器
在获得初始访问权限后,经常部署如STAYSHANTE和SASHEYAWAY等Web Shell。这些Shell通过部署完整的被动后门(如TEMPLEDOOR和FACEFACE)实现进一步持久化,这些后门可以执行命令、传输文件并与系统服务交互。
多阶段植入程序
UNC1860维护一套具有高级功能的"主阶段"植入程序,保留给高价值目标。这些植入程序,如TOFULOAD和TEMPLEDROP,展示了该组织对Windows内核组件的深入理解以及绕过内核保护等安全措施的能力。
逆向工程和规避技术
UNC1860展现出强大的逆向工程技能,特别是在重新利用合法软件(如Windows文件系统过滤器驱动程序)方面尤为明显。这使得该组织能够操纵系统组件进行隐秘操作,使用高级规避技术,如终止Windows事件日志服务线程并在需要时重新启动它们。
样本下载
下载 如需密码方案,请通过电子邮件联系我。
文件信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
|
├── ALL_LISTED
│ └──
│ ├── 0969f7f5556e3babd7050308a29fa2987dce01b3c94959724c9cd49bce052d80
│ ├── 1146b1f38e420936b7c5f6b22212f3aa93515f3738c861f499ed1047865549cb
│ ├── 1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e
│ ├── 159eecbba87a7397a5b84a21c289ae66ec776a3fd3b41bf11549fb621afebc0a
│ ├── 1786916c1e3b16ce654497861fe43bb595ea0f0fa0fad4cd62f3edc82f9a27d4
│ ├── 1c57b1ed990a8946e86d69da2a047fa15525d883b86e93cb6444a4065dbad362
│ ├── 2097320e71990865f04b9484858d279875cf5c66a5f6d12c819a34e2385da838
│ ├── 23a9abed7c4a76a5cacf1e984ecf3cce91c3c1bbf4424c4b2ee141b4154c3703
│ ├── 2538767f13218503bccf31fccb74e7531994b69a36a3780b53ba5020d938af20
│ ├── 269d7faed3a01b5ff9181df32e3fdbf7f7f193cc53e4f28aa21290343e69f3cd
│ ├── 3269de107e436a75a8308377709dc49b4893cfd137a3fc5b92d0f0590af4cb12
│ ├── 359d826ff025c5e4971d90be0d7dfebe10fc125f6dcaa2f0e9869e9f6bec4432
│ ├── 36b61f94bdfc86e736a4ee30718e0b1ee1c07279db079d48d3fe78b1578dbf03
│ ├── 3875ed58c0d42e05c83843b32ed33d6ba5e94e18ffe8fb1bf34fd7dedf3f82a7
│ ├── 58cb1ef132fbdd1855f75c2886666275d1bb75a9fb3fed88d05feee4230afd32
│ ├── 59463257c3f2425109fd097f814b6468663df947de8178c8cd7b7c5e94d3375c
│ ├── 596b2a90c1590eaf704295a2d95aae5d2fec136e9613e059fd37de4b02fd03bb
│ ├── 5cb88ec4eca35c41dbf32218c0f031e75e4c24a17cabe9eea2aa06efa5982967
│ ├── 67560e05383e38b2fcc30df84f0792ad095d5594838087076b214d849cde9542
│ ├── 6f0a38c9eb9171cd323b0f599b74ee571620bc3f34aa07435e7c5822663de605
│ ├── 6f938caeefa0aea3b8301e07bf918a49408cd319187d05ac519b20a00f460469
│ ├── 71106875c37bf5b92ef25c7bc1d607ae349aa85bbb2e92a39165a8a8f8f6eb0e
│ ├── 7495c1ea421063845eb8f4599a1c17c105f700ca0671ca874c5aa5aef3764c1c
│ ├── 786298c0d98aaf35777738a43a41546c6c8b1972b9bd601fb6cccf2c8f539ae4
│ ├── 7a1fee8d879bc16e63d05c79c5419bd19ee308c54831d7ee196cfa8281498a06
│ ├── 8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330
│ ├── 8e4f7a19b09e118ebda79726bf17e9d37ff4b66f4143762dd97ca80340388963
│ ├── 8fdd00243ba68cadd175af0cbaf860218e08f42e715a998d6183d7c7462a3b5b
│ ├── 90b3f7fefe8e11b8eacaba09a3c14ed6aa66a4c8d798440d912d0a663917a265
│ ├── 9117bd328e37be121fb497596a2d0619a0eaca44752a1854523b8af46a5b0ceb
│ ├── 9483f5eb9133c353cef636ef9fcc29e2c7bf658881574211ee142c93c523efaf
│ ├── a052413e65e025cbefdddff6eeae91161de17ffec16d3a741dd9b7c33d392435
│ ├── a2598161e1efff623de6128ad8aafba9da0300b6f86e8c951e616bd19f0a572b
│ ├── a375f98aa21377ed0c59b4c7121ac93763157e39d8235fb5ce77f88dee0e2ee4
│ ├── a650a90c1b505989b7e81bfb310d7e2013a380ab26f99622de158c58b1d0fbbf
│ ├── ac7b01e01de0dc289cd649aa5072243f2036bd8d2d0152b6d9874c2ccaaf1e5d
│ ├── b65bcba449d74e4395421aeb4012c9e509acb5e8153ff3dc9f01fd97a5cc2711
│ ├── b66919a18322aa4ce2ad47d149b7fe38063cd3cfa2e4062cd1a01ad6b3e47651
│ ├── ba3efa7d61e79cf62eeb0c65e803a6353f3012a89e0d910c2292801da43c8a93
│ ├── c0dc609e6fc8801bb902d14910c3ffd69d6bd5a26389836446dc4c23565ddcc7
│ ├── c3fa9432243e1a2ab1991ab4c07a19392038e6a8e817e5fea0232c4caabbb950
│ ├── c5b4542d61af74cf7454d7f1c8d96218d709de38f94ccfa7c16b15f726dc08c0
│ ├── ce59bbe3ef7e16423718de50639d2278eab9c1f08f998677ba6fbd36695f316a
│ ├── da450c639c9a50377233c0f195c3f6162beb253f320ed57d5c9bb9c7f0e83999
│ ├── daa362f070ba121b9a2fa3567abc345edcde33c54cabefa71dd2faad78c10c33
│ ├── e17510e9fad082426920e6e6d94df7c1314ecc3ab041aa8e19d18140f5a0cc21
│ ├── e1ad173e49eee1194f2a55afa681cef7c3b8f6c26572f474dec7a42e9f0cdc9d
│ ├── e26fbbeea2e152b3769126714c52112d04c4f2310461fb842bf2532e7903ce51
│ ├── e416fc85dbeefdff0f172b406c2f1fcdb90a895fa99c4eb66bcbe5c159f07b82
│ ├── e579a55f5415f891095a7488e2dd250da7f2ccadc27c3d1280f13fea4263a97b
│ ├── e984b40c4c6909813ed9f0ea5de8f4f7cac40f0e8b9fb5041f4a568e307e5712
│ ├── eafb31f3ab90246d099e58f5fb950f58effa583f1e3caabc451dfabaf0d200e1
│ ├── ed3745f82c7873adca16833b718e20090ac6a8c74e7004b854af29ef1551de75
│ ├── f42ebd85c4d0ab6573a856049ac9c892c037a0ec8f39e54153dd439616883390
│ ├── f4639c63fb01875946a4272c3515f005d558823311d0ee4c34896c2b66122596
│ ├── f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d
│ ├── fa2c5fa2814d4db288bf8733edc4f1a78cd2c72cde90f42cf5b14162ac648042
│ ├── fe14edf4db2a9838f15aaf24a5837ffc5c901313d6fd2fe60d15401154e44406
│ ├── ff51aa6cad655ddd99a525b78419cd746453fb2adcb689ba34ca3ab6e78b1347
│ └── ffb6acd2715dd988fe3c3fdbd7d45159f8e5b529eea506a856109a8696e93a80
├── OATBOAT
│ ├── 1146b1f38e420936b7c5f6b22212f3aa93515f3738c861f499ed1047865549cb_ file.None.0xfffffa80237c4010.img_OATBOAT with TOFULOAD shellcode
│ ├── 3875ed58c0d42e05c83843b32ed33d6ba5e94e18ffe8fb1bf34fd7dedf3f82a7_systemre.exe_OATBOAT with TOFULOAD shellcode
│ ├── 6f0a38c9eb9171cd323b0f599b74ee571620bc3f34aa07435e7c5822663de605_CyveraConsole.exe_OATBOAT that contains encrypted shellcode of TOFULOAD
│ ├── 7495c1ea421063845eb8f4599a1c17c105f700ca0671ca874c5aa5aef3764c1c_ cct.exe_OATBOAT with TOFULOAD shellcode
│ ├── 9117bd328e37be121fb497596a2d0619a0eaca44752a1854523b8af46a5b0ceb_ wlbsctrl.dll_OATBOAT loading shellcode
│ ├── a2598161e1efff623de6128ad8aafba9da0300b6f86e8c951e616bd19f0a572b_CyveraConsole.exe_OATBOAT that contains encrypted shellcode of TOFULOAD
│ ├── c5b4542d61af74cf7454d7f1c8d96218d709de38f94ccfa7c16b15f726dc08c0_OATBOAT that contains an encrypted TOFULOAD_dll_
│ └── e1ad173e49eee1194f2a55afa681cef7c3b8f6c26572f474dec7a42e9f0cdc9d_CyveraConsole.exe_OATBOAT that contains encrypted TOFUPIPE shellcode
├── SHEED AV
│ └── b25455b3f51c0ca0bf5014d043e05fe8ab7621a465677a17390fbc47e4ffbc2f_get-graphics-offsets32.exe_
├── TEMPLEDOOR
│ ├── 786298c0d98aaf35777738a43a41546c6c8b1972b9bd601fb6cccf2c8f539ae4_System.dll_
│ ├── 86279d261e8bbb74f739de8f9755551dbcb32fafa41401a484ed2ea59742604e_System.dll_
│ └── b25455b3f51c0ca0bf5014d043e05fe8ab7621a465677a17390fbc47e4ffbc2f_Templedoor certificate
└── XORO
├── 269d7faed3a01b5ff9181df32e3fdbf7f7f193cc53e4f28aa21290343e69f3cd_EncryptionModule
|
Yara规则检测结果
上述列出的样本的Yara规则命中情况:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
M_UNC1860_TEMPLEDOOR_BytePatterns_1 TEMPLEDOOR 86279d261e8bbb74f739de8f9755551dbcb32fafa41401a484ed2ea59742604e_System.dll_
M_UNC1860_TEMPLEDOOR_BytePatterns_1 TEMPLEDOOR 786298c0d98aaf35777738a43a41546c6c8b1972b9bd601fb6cccf2c8f539ae4_System.dll_
SASHEYAWAY_Strings_1 a650a90c1b505989b7e81bfb310d7e2013a380ab26f99622de158c58b1d0fbbf
M_UNC1860_TEMPLEDOOR_BytePatterns_1 786298c0d98aaf35777738a43a41546c6c8b1972b9bd601fb6cccf2c8f539ae4
M_OBFUSLAY_UNC1860_1 e17510e9fad082426920e6e6d94df7c1314ecc3ab041aa8e19d18140f5a0cc21
M_OBFUSLAY_UNC1860_1 fa2c5fa2814d4db288bf8733edc4f1a78cd2c72cde90f42cf5b14162ac648042
SASHEYAWAY_Strings_1 9483f5eb9133c353cef636ef9fcc29e2c7bf658881574211ee142c93c523efaf
SASHEYAWAY_Strings_1 67560e05383e38b2fcc30df84f0792ad095d5594838087076b214d849cde9542
SASHEYAWAY_Strings_1 8e4f7a19b09e118ebda79726bf17e9d37ff4b66f4143762dd97ca80340388963
M_Hunting_Backdoor_TOFULOAD_1 e26fbbeea2e152b3769126714c52112d04c4f2310461fb842bf2532e7903ce51
M_Autopatt_DropperMemonly_WINTAPIX_1 8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330
M_OBFUSLAY_UNC1860_1 59463257c3f2425109fd097f814b6468663df947de8178c8cd7b7c5e94d3375c
M_APT_CRYPTOSLAY_UNC1860_1 1c57b1ed990a8946e86d69da2a047fa15525d883b86e93cb6444a4065dbad362
M_Hunting_Backdoor_TOFULOAD_1 da450c639c9a50377233c0f195c3f6162beb253f320ed57d5c9bb9c7f0e83999
SASHEYAWAY_Strings_1 58cb1ef132fbdd1855f75c2886666275d1bb75a9fb3fed88d05feee4230afd32
SASHEYAWAY_Strings_1 ac7b01e01de0dc289cd649aa5072243f2036bd8d2d0152b6d9874c2ccaaf1e5d
M_WINTAPIX_StringDecodingMethod_1 a375f98aa21377ed0c59b4c7121ac93763157e39d8235fb5ce77f88dee0e2ee4
M_WINTAPIX_PaddedStrings_1 a375f98aa21377ed0c59b4c7121ac93763157e39d8235fb5ce77f88dee0e2ee4
SASHEYAWAY_Strings_1 2538767f13218503bccf31fccb74e7531994b69a36a3780b53ba5020d938af20
M_OBFUSLAY_UNC1860_1 ba3efa7d61e79cf62eeb0c65e803a6353f3012a89e0d910c2292801da43c8a93
M_OBFUSLAY_UNC1860_1 b66919a18322aa4ce2ad47d149b7fe38063cd3cfa2e4062cd1a01ad6b3e47651
M_OBFUSLAY_UNC1860_1 159eecbba87a7397a5b84a21c289ae66ec776a3fd3b41bf11549fb621afebc0a
M_OBFUSLAY_UNC1860_1 ce59bbe3ef7e16423718de50639d2278eab9c1f08f998677ba6fbd36695f316a
SASHEYAWAY_Strings_1 b65bcba449d74e4395421aeb4012c9e509acb5e8153ff3dc9f01fd97a5cc2711
SASHEYAWAY_Strings_1 ed3745f82c7873adca16833b718e20090ac6a8c74e7004b854af29ef1551de75
M_WINTAPIX_StringDecodingMethod_1 f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d
M_WINTAPIX_PaddedStrings_1 f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d
|
恶意软件存储库链接
在博客运行的过去15年中,由于更严格的无恶意软件政策,许多托管提供商已停止支持。这导致了链接失效,尤其是在较旧的帖子中。如果您在contagiodump.blogspot.com(或contagiominidump.blogspot.com)上发现失效链接,只需记下URL中的文件名并在Contagio恶意软件存储中搜索即可。