Unc3313

UNC3313, a threat actor group identified by Mandiant, has been actively involved in cyber-attacks targeting Middle Eastern government and technology entities since the second half of 2021. The group leverages a range of malware families, including GRAMDOOR, a Python-written backdoor that communicates with the Telegram server via the Telegram Bot API, and STARWHALE, a newly identified malware family. UNC3313 also uses a modified version of the open-source pen-testing tool CrackMapExec v3.0 (CRACKMAPEXEC) for system enumeration, user account reconnaissance, and remote command execution. Initial access to target systems is often achieved through spear-phishing attacks, followed by further exploitation using these tools. The attack lifecycle of UNC3313 typically begins with establishing a foothold in the victim's environment through spear-phishing attacks, compromising multiple systems. For instance, UNC3313 executed a file named ehorus_installer_windows-1.1.3-x64_en-US.msi, which created a service named EHORUSAGENT. The group then performs internal reconnaissance and lateral movement within the network, leveraging publicly available offensive security tools for remote command execution and network tunneling. UNC3313 was observed storing PowerShell downloader commands in Registry keys referenced by a Scheduled Task named “Oracle scheduled assistant Autoupdate” triggered on user logon. To maintain persistence, UNC3313 deploys various tactics such as downloading and executing a Windows Installer file for the eHorus remote access tool from the vendor website. Additionally, they were seen using LIGOLO for RDP session tunneling, evidenced by Windows logon events on accessed systems. Furthermore, Mandiant identified another UNC3313 backdoor compiled with Python 3.9 and packaged via PyInstaller, designed to execute only on Windows 8 and higher. These multi-pronged strategies underscore UNC3313's sophisticated approach to cyber attacks and their potential threat to targeted entities.