Cyber Espionage Alert: UNC1549 Targets European Telecoms
Overview of UNC1549 and Their Methods
A cyber espionage group linked to Iran, known as UNC1549, has recently been implicated in a significant campaign aimed at European telecommunications firms. According to findings from Swiss cybersecurity specialist PRODAFT, this operation has effectively compromised 34 devices across 11 different organizations, utilizing a recruitment strategy via LinkedIn.
PRODAFT has categorized this group as Subtle Snail, asserting its connections to the Islamic Revolutionary Guard Corps (IRGC). The targets of this initiative span several countries, including Canada, France, the UAE, the UK, and the US.
Recruitment Tactics and Technical Execution
The modus operandi of UNC1549 involves creating fake human resource profiles to engage employees from targeted organizations. By masquerading as HR representatives from credible companies, they exploit trust to disseminate a variant of malware known as MINIBIKE. This backdoor variant cleverly communicates with command-and-control (C2) servers using Azure cloud services, thereby evading many detection mechanisms.
Initially active since at least June 2022, UNC1549 shares similarities with other Iranian hacking groups like Smoke Sandstorm and Crimson Sandstorm. Their activities were first recorded by Mandiant, a Google subsidiary, back in February 2024.
Recent Developments and Malware Families
From insights shared by Israeli cybersecurity enterprise ClearSky, it has been established that UNC1549 has increasingly focused on the aerospace sector, deploying malware types such as SnailResin and SlugResin since as early as September 2023. The group’s primary objective includes infiltrating telecommunications sectors and maintaining an interest in aerospace and defense firms, aiming to gather sensitive data for strategic intelligence purposes.
Targeting Strategy
UNC1549’s attack chain begins with a deep reconnaissance phase on LinkedIn, where they pinpoint key personnel such as researchers, developers, and IT administrators with critical system access. Following this, the group sends spear-phishing emails to validate email addresses and collect more data before executing their recruitment strategies.
They meticulously craft HR profiles on LinkedIn, reaching out to potential victims with fabricated job offers. Once interest is shown, victims receive emails inviting them to schedule interviews via fraudulent websites mimicking those of legitimate companies, such as Telespazio or Safran Group. Clicking on these domains leads to the automatic download of a ZIP file.
Malware Infection Process
Inside the ZIP file lies an executable that employs DLL side-loading techniques to launch the malicious MINIBIKE DLL. This DLL then gathers vital system information and awaits further payloads consisting of Microsoft Visual C/C++ DLLs, which enable it to conduct reconnaissance operations, log keystrokes, collect Microsoft Outlook credentials, and extract data from browsers like Google Chrome and Microsoft Edge.
A particularly concerning feature of the malware includes using a publicly available tool to bypass app-specific protections in Chrome, allowing it to decrypt and harvest stored passwords.
Advanced Techniques and Persistence
PRODAFT indicates that the Subtle Snail team customizes each DLL deployed to victim machines, even gathering network configuration information uniquely tailored for each target. Their methodology includes modifying legitimate DLL files to mask their malicious nature while facilitating successful DLL side-loading attacks, effectively circumventing detection mechanisms.
The MINIBIKE backdoor is modular, supporting 12 separate commands for C2 communication, enabling functions like file enumeration, process management, and payload execution. The malware blends its C2 traffic with standard cloud communications using Azure and virtual private servers to further obscure its activities.
Moreover, it alters Windows Registry settings, ensuring it launches automatically on system start. Employing anti-debugging tactics and complex encoding techniques, MINIBIKE is designed to resist reverse engineering and conceal its full capabilities.
The Broader Implications of Subtle Snail’s Operations
PRODAFT emphasizes the significant risk posed by Subtle Snail’s operations, which not only compromise devices but actively seek out sensitive data while securing long-term access to crucial telecommunications networks. Their pursuit includes sensitive communications, VPN configurations, and confidential files that can lead to severe business repercussions and personal data exposure.
Insight into MuddyWater’s Toolkit
In related news, another Iranian state-sponsored hacking group named MuddyWater has come under scrutiny. Recent insights from Group-IB reveal that MuddyWater has reduced its reliance on traditional Remote Monitoring and Management (RMM) tools in favor of bespoke malware tools. Some notable additions to their arsenal include:
- BugSleep: A Python-based backdoor enabling command execution and file transfers.
- LiteInject: A portable executable injector.
- StealthCache: A feature-rich backdoor capable of file manipulation and credential stealing.
- Fooder: A loader designed to run encrypted payloads in memory.
- Phoenix: Streamlined malware based on BugSleep.
- CannonRat: A tool for remote control of compromised systems.
- UDPGangster: A basic backdoor communicating over UDP.
Active since 2017, MuddyWater, which is also tracked under various aliases, has increasingly targeted telecommunications and critical infrastructure sectors, emphasizing the ongoing threat posed by Iranian cyber actors.
