Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

VIROGREEN (Backdoor) – Malware

March 1, 2025
Reading Time: 4 mins read
in Malware
VIROGREEN (Backdoor) – Malware

VIROGREEN

Type of Malware

Backdoor

Country of Origin

Iran

Targeted Countries

Middle East

Date of Initial Activity

2024

Associated Groups

UNC1860

Motivation

Cyberwarfare

Attack Vectors

Software Vulnerabilities
Phishing

Targeted Systems

Windows

Overview

VIROGREEN is a sophisticated malware framework employed by the cybercriminal group UNC1860, known for its ability to exploit vulnerabilities in internet-facing systems and provide advanced post-exploitation capabilities. Specifically designed to target SharePoint servers vulnerable to CVE-2019-0604, VIROGREEN allows attackers to gain unauthorized access to affected systems, escalating their control over the network. Unlike traditional malware, which typically communicates directly with external command-and-control (C2) servers, VIROGREEN is a custom-built solution that enables attackers to manage and maintain control of compromised environments with a high degree of flexibility and stealth. This framework’s design not only ensures persistent access but also facilitates the manipulation of compromised systems without raising immediate alarms from security monitoring tools. The primary strength of VIROGREEN lies in its post-exploitation features, which include the ability to deploy and manage various backdoors and payloads within the target network. Once the initial compromise is made, VIROGREEN enables attackers to execute commands, upload and download files, and maintain their foothold through several pre-configured post-exploitation tools. These tools include widely known backdoors such as STAYSHANTE and BASEWALK, which can be deployed on targeted machines to ensure long-term persistence. Additionally, VIROGREEN allows attackers to control agents across compromised networks regardless of the method used to implant them, providing an interface that simplifies the management of infected systems.

Targets

Information Public Administration

How they operate

Once VIROGREEN successfully exploits a vulnerability such as CVE-2019-0604, it can deploy various post-exploitation tools and backdoors, including STAYSHANTE and BASEWALK, which provide attackers with continuous control over compromised systems. These backdoors are capable of executing a wide range of malicious actions, such as uploading or downloading files, executing commands, and conducting reconnaissance within the infected environment. Importantly, VIROGREEN provides attackers with a centralized interface that allows them to control compromised systems regardless of how the implants were originally introduced. This flexibility makes the malware highly adaptable to different attack scenarios, ensuring that once a system is compromised, the attacker can maintain control even if the method of exploitation changes. A critical component of VIROGREEN’s operation is its ability to function with minimal reliance on traditional command-and-control (C2) infrastructure, which helps to avoid detection by network monitoring tools. Unlike other malware that requires constant communication with external servers, VIROGREEN uses a passive implant approach where the infected system itself can act as a relay or middleman. This allows attackers to send and receive commands without the need for direct outbound communication, which would typically trigger alerts on intrusion detection systems. Instead, VIROGREEN communicates via HTTPS-encrypted traffic, making it harder for defenders to identify malicious activity from network logs. Furthermore, VIROGREEN’s stealthy communication methods extend to its use of volatile sources for command delivery. Attackers can issue commands from various sources, such as compromised internal systems, VPN nodes, or even other victim networks. This decentralized approach makes it extremely difficult for security teams to trace the origin of the commands or identify patterns of malicious activity. By employing this dynamic command delivery system, VIROGREEN ensures that it can remain active within the target network for extended periods without detection, even as attackers move laterally within the environment. In addition to passive implants, VIROGREEN is also equipped with advanced defense evasion techniques. The malware includes custom Windows kernel drivers, such as TOFUDRV, which are capable of acting as a “middleman” to filter network traffic. These drivers can intercept and modify data before it reaches the device or application, offering attackers the ability to manipulate or block network traffic in real time. The use of kernel drivers requires a deep understanding of the Windows operating system’s internals and significantly increases the malware’s ability to evade detection by endpoint detection and response (EDR) solutions. The TOFUDRV driver specifically uses undocumented Input/Output Control (IOCTL) commands, which are highly difficult for traditional security tools to detect. This communication method allows the malware to send commands without triggering alarms in security solutions. By bypassing standard security mechanisms, VIROGREEN remains under the radar, even when endpoint security systems are actively scanning for signs of compromise. Additionally, VIROGREEN makes use of Windows file system filters to further obscure its presence. The malware’s TEMPLEDROP implant, for example, repurposes an Iranian antivirus software driver, known as Sheed AV, to protect critical files and prevent its own detection. By integrating itself into the file system in this way, VIROGREEN can evade detection from file integrity monitoring systems and anti-virus tools, making it harder for defenders to identify compromised machines. Overall, VIROGREEN’s technical sophistication lies in its ability to combine exploitation, post-exploitation, and stealth in a manner that allows attackers to maintain persistent access to a target network without detection. Its use of custom tools and communication methods ensures that it can infiltrate, control, and manipulate victim systems with a high degree of flexibility. Organizations targeted by VIROGREEN must adopt advanced detection techniques, including monitoring encrypted traffic and anomalous file system behavior, to defend against this complex and evolving threat.  
References
  • UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks
Tags: BackdoorsBASEWALKCybercriminalIranMalwareMiddle EastSharepointSTAYSHANTETEMPLEDROPUNC1860VIROGREENVulnerabilitiesWindows
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

New ZeroCrumb Malware Steals Browser Cookies

TikTok Videos Spread Vidar StealC Malware

CISA Commvault ZeroDay Flaw Risks Secrets

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Subscribe to our newsletter

    Latest Incidents

    Cetus Crypto Exchange Hacked For $223M

    MCP Data Breach Hits 235K NC Lab Patients

    UFCW Data Breach Risks Social Security Data

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial