UNC1549 Hackers Abuse Microsoft Azure Cloud To Attack Defense Sectors

A new threat activity has been discovered that relates to the Iran-Nexus espionage activity that targets Aerospace, Aviation, and defense industries in multiple countries, including Israel, UAE, Turkey, India, and Albania.

This threat activity is also suspected to be linked with UNC1549 threat actor that has similarities with Tortoiseshell threat group.

The threat actor used several evasion techniques to hide their activity and has been using Microsoft Azure Cloud Infrastructure for social engineering two unique backdoors named MINIBIKE and MINIBUS.

Over 125 command and control Azure subdomains have been discovered in this attack campaign as part of their TTPs.

You can analyze a malware file, network, module, and registry activity with the ANY.RUN malware sandbox, and the Threat Intelligence Lookup that will let you interact with the OS directly from the browser.

Hackers Abuse Microsoft Azure

According to Mandiant reports, the threat actors’ campaigns were related to a fake recruiting website that contains the MINIBUS payload.

Additionally, this campaign’s evasion method involved using cloud infrastructure for C2, which could be challenging for network defenders to prevent, detect, and mitigate this activity.

The Tortoiseshell threat actor previously used this job-lure campaign.

As of the Attack Lifecycle, several stages of the attack chain were used, which include Spear-phishing with fake job offers in tech and defense-related positions, payload delivery, and installation of payloads on the device for compromising.

The fake job offers website was spread via social media and emails that contained malicious payloads for harvesting credentials.

These payloads were either MINIBIKE or MINIBUS, which have been used since at least 2022.

Once these payloads are installed on the victim’s device, the C2 communication is established through Microsoft Azure Cloud infrastructure, which collects information from the device and provides access.

Moreover, this stage was also found to be using the LIGHTRAIL tunneler. Some of the Azure C2 domains used were

• ilengineeringrssfeed[.]azurewebsites[.]net (“IL Engineering RSS Feed”)
• hiringarabicregion[.]azurewebsites[.]net (“Hiring Arabic Region”)
• turkairline[.]azurewebsites[.]net (“Turk Airline”)

MINIBIKE Malware

This is a custom C++-based backdoor that is capable of exfiltrating files, command execution, uploading, and establishing communication to the Azure cloud infrastructure. 

Once installed, this malware provides full backdoor functionality to the compromised device. The malware consists of three utilities

• The backdoor (.dll or .dat file)
• A launcher (executed via search order hijacking (SoH))
• Legitimate/Fake executable that masks the MINIBIKE

MINIBUS Malware

In addition to the functionalities offered in the MINIBIKE, this malware provides a more flexible code-execution interface and enhanced information-gathering features to the MINIBIKE malware.

This malware contains very few built-in features compared to MINIBIKE. The functionalities of this malware include,

• Command interface for code execution
• process enumeration feature
• exporting DLL Names
• C2 communications
• Lures themes 
• Targeting and Geography

LIGHTRAIL Tunneler

This tunneler has multiple connections with the MINIBIKE and MINIBUS malware, like the code base, Azure C2 infrastructure, and the same targets and victimology. This tunneler uses the open-source utility Lastenzug, a Sock4a proxy.

Indicators Of Compromise (IOCs)

MINIBIKE

• 01cbaddd7a269521bf7b80f4a9a1982f
• 054c67236a86d9ab5ec80e16b884f733
• 1d8a1756b882a19d98632bc6c1f1f8cd
• 2c4cdc0e78ef57b44f11f7ec2f6164cd
• 3b658afa91ce3327dbfa1cf665529a6d
• 409c2ac789015e76f9886f1203a73bc0
• 601eb396c339a69e7d8c2a3de3b0296d
• 664cfda4ada6f8b7bb25a5f50cccf984
• 68f6810f248d032bbb65b391cdb1d5e0
• 691d0143c0642ff783909f983ccb8ffd
• 710d1a8b2fc17c381a7f20da5d2d70fc
• 75d2c686d410ec1f880a6fd7a9800055
• 909a235ac0349041b38d84e9aab3f3a1
• a5e64f196175c5f068e1352aa04bc5fa
• adef679c6aa6860aa89b775dceb6958b
• bfd024e64867e6ca44738dd03d4f87b5
• c12ff86d32bd10c6c764b71728a51bce
• cf32d73c501d5924b3c98383f53fda51
• d94ffe668751935b19eaeb93fed1cdbe
• e3dc8810da71812b860fc59aeadcc350
• e9ed595b24a7eeb34ac52f57eeec6e2b
• eadbaabe3b8133426bcf09f7102088d4

MINIBUS

• ef262f571cd429d88f629789616365e4
• 816af741c3d6be1397d306841d12e206
• c5dc2c75459dc99a42400f6d8b455250
• 05fcace605b525f1bece1813bb18a56c
• 4ed5d74a746461d3faa9f96995a1eec8
• f58e0dfb8f915fa5ce1b7ca50c46b51b

LIGHTRAIL

• 0a739dbdbcf9a5d8389511732371ecb4
• 36e2d9ce19ed045a9840313439d6f18d
• aaef98be8e58be6b96566268c163b6aa
• c3830b1381d95aa6f97a58fd8ff3524e
• c51bc86beb9e16d1c905160e96d9fa29
• a5fdf55c1c50be471946de937f1e46dd

Fake Job Offers

• ec6a0434b94f51aa1df76a066aa05413
• 89107ce5e27d52b9fa6ae6387138dd3e
• 4a223bc9c6096ac6bae3e7452ed6a1cd

C2 And Hosting Infrastructure

• 1stemployer[.]com
• birngthemhomenow[.]co[.]il
• cashcloudservices[.]com
• jupyternotebookcollections[.]com
• notebooktextcheckings[.]com
• teledyneflir[.]com[.]de
• vsliveagent[.]com
• xboxplayservice[.]com

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.