Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
UNC3313, a threat actor group identified by Mandiant, has been actively involved in cyber-attacks targeting Middle Eastern government and technology entities since the second half of 2021. The group leverages a range of malware families, including GRAMDOOR, a Python-written backdoor that communicates with the Telegram server via the Telegram Bot API, and STARWHALE, a newly identified malware family. UNC3313 also uses a modified version of the open-source pen-testing tool CrackMapExec v3.0 (CRACKMAPEXEC) for system enumeration, user account reconnaissance, and remote command execution. Initial access to target systems is often achieved through spear-phishing attacks, followed by further exploitation using these tools. The attack lifecycle of UNC3313 typically begins with establishing a foothold in the victim's environment through spear-phishing attacks, compromising multiple systems. For instance, UNC3313 executed a file named ehorus_installer_windows-1.1.3-x64_en-US.msi, which created a service named EHORUSAGENT. The group then performs internal reconnaissance and lateral movement within the network, leveraging publicly available offensive security tools for remote command execution and network tunneling. UNC3313 was observed storing PowerShell downloader commands in Registry keys referenced by a Scheduled Task named “Oracle scheduled assistant Autoupdate” triggered on user logon. To maintain persistence, UNC3313 deploys various tactics such as downloading and executing a Windows Installer file for the eHorus remote access tool from the vendor website. Additionally, they were seen using LIGOLO for RDP session tunneling, evidenced by Windows logon events on accessed systems. Furthermore, Mandiant identified another UNC3313 backdoor compiled with Python 3.9 and packaged via PyInstaller, designed to execute only on Windows 8 and higher. These multi-pronged strategies underscore UNC3313's sophisticated approach to cyber attacks and their potential threat to targeted entities.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
TEMP.Zagros, also known as MuddyWater, Earth Vetala, MERCURY, Static Kitten, and Seedworm, is an Iran-nexus threat actor that has been active since at least May 2017. This group is associated with the Iranian Ministry of Intelligence and Security (MOIS) and has historically targeted regions and sect
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Lateral Move...
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Starwhale is a malicious software (malware) identified by Mandiant during an investigation, which operates as a Windows Script File (WSF) backdoor. This malware communicates via HTTP with a command and control (C2) server, receiving commands and executing them through Windows cmd.exe. Starwhale infi
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
MuddyWater is an advanced persistent threat (APT) group, also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros. This threat actor has been linked to the Iranian Ministry of Intelligence and Security (MOIS) according to a joint advisory from cybersecurity firms. The group empl
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Unc3313 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
a year ago
Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity