Threats Feed|UNC3313|Last Updated 25/07/2024|AuthorCertfa Radar|Publish Date24/02/2022

The Rise Of GRAMDOOR And STARWHALE In The Middle East: UNC3313 Suspected

  • Actor Motivations: Espionage
  • Attack Vectors: Backdoor,Malware,Spear Phishing
  • Attack Complexity: High
  • Threat Risk: High Impact/High Probability

Threat Overview

The Iranian cyber espionage group UNC3313, also known as TEMP.Zagros and MuddyWater, has been identified as the perpetrator of a series of cyber attacks on Middle Eastern government and technology entities. The group used new targeted malware, GRAMDOOR and STARWHALE, to exploit vulnerabilities and gain unauthorized access. UNC3313 also utilized publicly available remote access software and modified open-source offensive security tools for lateral movement within the targeted systems. The group's activities suggest a strong focus on geopolitical targets and the telecommunications sector in the Middle East. The use of the Telegram API for command and control allows for malicious traffic to blend in with legitimate user behavior, indicating the group's efforts to evade detection.

Reference and Credit: Mandiant - February 2022

Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity

Detected Targets

TypeDescriptionConfidence
SectorGovernment Agencies and Services
Verified
SectorInformation Technology
High
SectorTelecommunication
High
RegionMiddle East Countries
Verified

Extracted IOCs

  • 15fa3b32539d7453a9a85958b77d4c95
  • 5763530f25ed0ec08fb26a30c04009f1
  • 7c3564cd166822be4932986cb8158409
  • 7fefce7f2e4088ce396fd146a7951871
  • c8ff058db87f443c0b85a286a5d4029e
  • cb84c6b5816504c993c33360aeec4705
  • 45[.]142.213.17
  • 45[.]153.231.104
  • 5[.]199.133.149
  • 87[.]236.212.184
  • 88[.]119.175.112
  • 95[.]181.161.50
  • 95[.]181.16.81
download

Tip: 13 related IOCs (7 IP, 0 domain, 0 URL, 0 email, 6 file hash) to this threat have been found.

Overlaps

MuddyWaterMuddyWater's Strategic Cyber Campaigns Across Turkey, Armenia, and Pakistan

Source: Cisco Talos - March 2022

Detection (one case): 5[.]199.133.149

MuddyWaterMuddyWater Espionage Campaign: A Deep Dive into Malware and Tactics

Source: Picussecurity - March 2022

Detection (three cases): 15fa3b32539d7453a9a85958b77d4c95, 5763530f25ed0ec08fb26a30c04009f1, cb84c6b5816504c993c33360aeec4705

MuddyWaterAnalysis of MuddyWater Malware Targeting Diverse International Sectors

Source: CISA - February 2022

Detection (one case): 5[.]199.133.149

MuddyWaterMuddyWater: Iranian APT Group Targets Global Networks Across Multiple Sectors

Source: CISA - February 2022

Detection (six cases): 45[.]142.213.17, 45[.]153.231.104, 5[.]199.133.149, 95[.]181.161.50, 15fa3b32539d7453a9a85958b77d4c95, 5763530f25ed0ec08fb26a30c04009f1

MuddyWaterUnveiling Small Sieve: A Python Backdoor with Advanced Evasion Techniques

Source: NCSC - February 2022

Detection (two cases): 15fa3b32539d7453a9a85958b77d4c95, 5763530f25ed0ec08fb26a30c04009f1

MuddyWaterEvolving Threat: MuddyWater APT's Multi-National Cyber Espionage Activities

Source: Cisco Talos - January 2022

Detection (one case): 5[.]199.133.149

MuddyWaterMuddyWater Expands Its Reach: A Deep Dive into the Earth Vetala Intrusion

Source: Trend Micro - March 2021

Detection (one case): 87[.]236.212.184

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
UNC3313
View UNC3313's Insights