Cyberwarfare / Nation-State Attacks,
Fraud Management & Cybercrime
Iranian Hacking Group Unleashes Array of Custom Malware Variants
Google has issued a warning regarding a state-sponsored Iranian hacking group known for targeting the aerospace and defense sectors in the Middle East. This group, referred to as UNC1549 by Google-owned Mandiant, has reportedly enhanced its operational capabilities with a suite of custom malware variants.
First identified in early 2024, UNC1549 is believed to have connections with the Iranian Revolutionary Guard Corps. Mandiant’s analysis indicates that the group has evolved over the past two years, developing new malware designed to establish footholds within targeted networks.
Austin Larsen, a principal threat analyst at Mandiant, noted that the deployment of multiple bespoke backdoors indicates a marked increase in sophistication and operational security. The group primarily utilizes spear-phishing tactics to gain initial access, subsequently exploiting stolen credentials to enter remote connection software such as Azure Virtual Desktop, as well as collaboration tools from Citrix and VMWare.
While the methods for gaining initial access are relatively straightforward, Mandiant highlighted that each post-exploitation payload was uniquely identified, demonstrating the group’s intent to diversify its attack vectors. The malware variants uncovered by Mandiant include Twostroke, Deeproot, Crashpad, Dcsyncer.slick, Ghostline, Pollblend, and Sightgrab, each serving a specific function in the group’s operations.
Twostroke serves to collect system information and manage files for persistence, while Deeproot is employed for executing shell commands and handling file operations. Communication is facilitated using tunnelling malware like Ghostline and Pollblend. The group also exploits privilege escalation techniques, utilizing Dcsyncer.slick to extract NTLM password hashes from domain controllers and Crashpad to steal saved credentials from browsers.
Additionally, the group employs Trusttrap to generate deceptive pop-up messages on victims’ screens, tricking them into divulging credentials. The attackers are known for utilizing DLL search order hijacking techniques, ensuring that Windows executes malicious DLLs over legitimate software, frequently simulating tools from reputable providers such as FortiGate and Microsoft.
Mandiant emphasized that UNC1549’s operational strategies indicate a deliberate effort to remain undetected while establishing long-term persistence within compromised systems. The group plants backdoors that can remain dormant for months before being activated, showcasing a keen awareness of investigator protocols.
