TEMPLEPLAY (Backdoor) – Malware

Overview

In the world of cyber threats, sophisticated malware tools continue to evolve, allowing threat actors to execute complex and persistent attacks on targeted systems. One such tool that has recently come to the forefront is TEMPLEPLAY, a .NET-based malware controller used by the threat actor group UNC1860. TEMPLEPLAY operates as part of a larger malware infrastructure designed to provide attackers with seamless control over infected systems. This powerful tool functions as a graphical user interface (GUI), giving attackers an intuitive, easy-to-use method for managing their exploits within a compromised network. It serves as a key element in UNC1860’s persistent and evolving campaign, allowing them to perform actions that range from file uploads and downloads to sophisticated internal network scanning and exploitation.

The core of TEMPLEPLAY’s effectiveness lies in its ability to facilitate remote access and command execution within a victim’s environment. This malware controller allows cybercriminals to conduct their attacks with minimal interaction with the infected system. Unlike traditional malware, which may require manual configuration or complex command-line operations, TEMPLEPLAY offers a GUI that enables even less technically skilled attackers to efficiently exploit vulnerabilities, install additional payloads, and exfiltrate valuable data. TEMPLEPLAY is often used in conjunction with TEMPLEDOOR, a passive backdoor that grants the initial access, and its role in controlling compromised systems makes it an integral tool in UNC1860’s multi-pronged attack strategy.

Targets

Information

Public Administration

How they operate

The core functionality of TEMPLEPLAY is centered around providing a simple yet powerful interface for cybercriminals. Built in .NET, TEMPLEPLAY’s GUI allows attackers to execute commands on infected systems, upload or download files, and perform network scans with minimal technical expertise required. The Command Prompt Tab is a primary feature, enabling operators to send commands to the target system’s command line. The default command—cmd /c 2 > &1 with the parameter whoami—is used to gather basic information about the infected system, specifically identifying the user account that is executing the command. This allows the attackers to establish their presence on the system, collect valuable system data, and ensure their payload is functioning as intended.

Another critical component of TEMPLEPLAY is the Upload File Tab, which allows for the remote upload of files from the attacker’s local system to the victim’s machine. Using a POST request, TEMPLEPLAY facilitates file transfers to the default target directory, typically located in C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS. This function is essential for installing additional payloads or exfiltrating sensitive files. The Download File Tab, conversely, enables the attacker to retrieve files from the infected machine. The default location for downloading files is C:\Programdata\1.txt, often used to store stolen information or to retrieve configuration files that aid in the malware’s persistence on the network.

The HTTP Proxy Tab in TEMPLEPLAY adds another layer of sophistication by allowing infected systems to act as a proxy server. This feature is primarily used for enabling Remote Desktop Protocol (RDP) connections to other machines within the network. In cases where a target server is protected by a firewall or network address translation (NAT) boundary, TEMPLEPLAY enables the attacker to bypass these barriers by routing traffic through the infected machine. This makes it easier for attackers to pivot to other parts of the network and maintain control over additional systems. The use of an HTTP proxy helps circumvent defenses that would otherwise block direct access to sensitive internal resources, further enhancing the stealth and persistence of the attack.

The URLs Tab in TEMPLEPLAY is crucial for maintaining consistent communication between the malware and the command-and-control (C2) server. The URLs Tab defines a set of endpoint URLs used when connecting to the infected system. Each URL endpoint is randomly selected from a pre-configured list within the malware’s settings, making it harder for defenders to identify and block the C2 traffic. These endpoints are tied to specific TEMPLEDOOR samples, such as MD5:c57e59314aee7422e626520e495effe0, which allows the malware to maintain a dynamic and adaptable connection with the attacker, ensuring uninterrupted control over the compromised network.

The Test Backdoor function in TEMPLEPLAY is a diagnostic tool used to verify the functionality of the malware’s communication channel. By creating a GET request with a specific string and checking for a corresponding response, attackers can confirm that the backdoor is operational and capable of receiving commands. This test ensures that the malware is actively communicating with the C2 server and is ready to execute further instructions, such as uploading or downloading files, executing arbitrary commands, or facilitating lateral movement within the compromised network.

In summary, TEMPLEPLAY operates as a highly effective, GUI-driven malware controller that simplifies the process of managing compromised systems. Its functionality ranges from executing system commands to facilitating file transfers and enabling RDP access, all of which contribute to the persistence and expansion of the attackers’ foothold within the target network. With its use of dynamic URL endpoints, proxy capabilities, and the ability to control other backdoor implants like TEMPLEDOOR, TEMPLEPLAY is a versatile tool that significantly enhances the threat actor’s operational capabilities. Defenders must understand the technical intricacies of TEMPLEPLAY and implement robust network monitoring and security practices to mitigate the risks posed by such advanced malware.

References

• UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks