Ethical Hacking News
The UNC1549 malware campaign demonstrates the importance of staying vigilant and taking proactive measures to prevent sophisticated attacks from compromising network environments.
The UNC1549 malware campaign uses a sophisticated attack strategy that leverages legitimate tools and publicly available utilities to evade detection.SIGHTGRAB is a Windows executable that autonomously captures screenshots at regular intervals and saves them to disk, targeting users with sensitive data or privileged access.TRUSTTRAP is a malware tool used by UNC1549 to trick users into submitting their credentials, compromising user security.The campaign employs various tools for internal reconnaissance, including AD Explorer, native Windows commands, and PowerShell scripts.AWRC, a commercial utility, is leveraged to establish remote connections and conduct post-compromise activities.CRASHPAD decrypts content from the file config.txt into the file crash.log, using AWRC's built-in functions for reconnaissance.The campaign also deploys malware onto compromised machines and exfiltrates sensitive browser files containing user credentials.LIGHTRAIL is a custom tunneler that communicates with Azure cloud infrastructure and has distinct differences from its source code.DEEPROOT, a Linux backdoor, supports functionalities like shell command execution and file listing, and could be compiled for other operating systems.The campaign uses multiple C2 domains hosted on Microsoft Azure to communicate with compromised machines.
The recent revelations about the UNC1549 malware campaign have shed light on a sophisticated attack strategy employed by attackers to compromise network environments. The campaign's modus operandi revolves around leveraging legitimate tools and publicly available utilities to blend in with standard administrative activities, thereby evading detection.
At the heart of this campaign lies SIGHTGRAB, a Windows executable written in C that autonomously captures screenshots at regular intervals and saves them to disk. Upon execution, SIGHTGRAB loads several Windows libraries dynamically at runtime, including User32.dll, Gdi32.dll, and Ole32.dll. This enables it to implement runtime API resolution through LoadLibraryA and GetProcAddress calls with encoded strings to access system functions.
SIGHTGRAB's primary function is to create directories based on the current timestamp, after which it saves all taken screenshots incrementally. It targets users in two categories: those handling sensitive data, allowing for subsequent data exposure and exfiltration, and those with privileged access, enabling privilege escalation and access to restricted systems.
One of the malicious tools used by UNC1549 is TRUSTTRAP, a malware that serves a Windows prompt to trick users into submitting their credentials. Captured credentials are saved in cleartext to a file, thereby compromising user security.
The campaign leverages legitimate tools and publicly available utilities for internal reconnaissance. AD Explorer, a valid executable signed by Microsoft, was used to query Active Directory and inspect its configuration details. The group also employed native Windows commands like net user and net group to enumerate specific user accounts and group memberships within the domain, alongside PowerShell scripts for ping and port scanning reconnaissance on specific subnets.
In addition to these tactics, UNC1549 utilized Atelier Web Remote Commander (AWRC), a commercial utility for remotely managing, auditing, and supporting Windows systems. AWRC's agentless design enables administrators to connect immediately without requiring software installation or pre-configuration on the remote machine. UNC1549 leveraged this capability to establish remote connections, conduct reconnaissance, and perform post-compromise activities.
Another crucial tool employed by UNC1549 is CRASHPAD, a Windows executable written in C++ that decrypts content from the file config.txt into the file crash.log by impersonating the explorer.exe user privilege and through the CryptUnprotectData API. CRASHPAD conducted reconnaissance using AWRC's built-in functions to gather information about running services, active processes, and existing RDP sessions.
Furthermore, UNC1549 used CRASHPAD as a vector to transfer and deploy malware onto compromised machines, as well as exfiltrate sensitive browser files known to contain stored user credentials from remote systems. The campaign also deployed the LIGHTRAIL tunneler, likely based on the open-source Socks4a proxy, Lastenzug.
LIGHTRAIL is a custom tunneler that communicates using Azure cloud infrastructure and has several distinct differences from its source code. One notable difference lies in the way it uses search order hijacking to execute VGAuthCLI.exe.
Lastly, there's DEEPROOT, a Linux backdoor written in Golang that supports functionalities such as shell command execution, system information enumeration, file listing, delete, upload, and download. Despite being designed primarily for Linux systems, DEEPROOT could also be compiled for other operating systems due to Golang's architecture.
The campaign has been linked to multiple C2 domains hosted on Microsoft Azure. The observed DEEPROOT samples used multiple C2 servers per binary, suspected to be used for redundancy in case one C2 server has been taken down.
In summary, the UNC1549 malware campaign exemplifies a complex and sophisticated attack strategy that leverages various tools and techniques to compromise network environments. By employing legitimate tools and publicly available utilities, attackers can evade detection while also maintaining operational security. Understanding this campaign's modus operandi is crucial for organizations seeking to protect themselves against similar attacks.
The UNC1549 malware campaign demonstrates the importance of staying vigilant and taking proactive measures to prevent sophisticated attacks from compromising network environments.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Comprehensive-Analysis-of-the-UNC1549-Malware-Campaign-Unveiling-the-Tactics-Techniques-and-Procedures-ehn.shtml
https://cloud.google.com/blog/topics/threat-intelligence/analysis-of-unc1549-ttps-targeting-aerospace-defense/
https://cloud.google.com/blog/topics/threat-intelligence/suspected-iranian-unc1549-targets-israel-middle-east
https://assets.kpmg.com/content/dam/kpmgsites/in/pdf/2024/03/kpmg-ctip-unc1549-12-mar-2024.pdf.coredownload.inline.pdf
Published: Mon Nov 17 10:29:28 2025 by llama3.2 3B Q4_K_M
