Saturday, January 18, 2025
HomeAzureIranian Hackers Using Multi-Stage Malware To Attack Govt And Defense Sectors Via...

Iranian Hackers Using Multi-Stage Malware To Attack Govt And Defense Sectors Via LinkedIn

Published on

SIEM as a Service

Follow Us on Google News

Microsoft has identified a new Iranian state-sponsored threat actor, Peach Sandstorm, deploying a custom multi-stage backdoor named Tickler. 

This backdoor has been used to target various sectors, including satellite, communications equipment, oil and gas, and government, in the United States and the United Arab Emirates. Peach Sandstorm has also engaged in password spray attacks and intelligence gathering activities on LinkedIn

Microsoft assesses that this threat actor operates on behalf of the Iranian Islamic Revolutionary Guard Corps and is designed to support Iranian state interests by sharing this information to raise awareness and help organizations strengthen their defenses against such threats.

Peach Sandstorm attack chain

Peach Sandstorm, a threat actor known for password spray attacks and LinkedIn-based intelligence gathering, has recently evolved its tactics by deploying a new custom backdoor, Tickler, and utilizing fraudulent Azure subscriptions for command and control. 

It was observed between April and July 2024, which highlights the group’s adaptability and ongoing efforts to evade detection by identifying and disrupting the malicious Azure infrastructure involved in these operations, protecting affected organizations.

Peach Sandstorm is conducting intelligence gathering on LinkedIn using fake profiles and password spray attacks targeting various sectors. 

The group leveraged compromised accounts to gain access to Azure infrastructure and conduct further attacks, while Microsoft has implemented security measures like multi-factor authentication to mitigate such threats.

Network information collected by Tickler after deployment on target host

It deployed Tickler, a custom multi-stage backdoor, in compromised environments, which is a 64-bit PE file that collects network information and sends it to a C2 server. 

The second Tickler sample, sold.dll, is a Trojan dropper that downloads additional payloads, including a backdoor and legitimate files for DLL sideloading, which can run commands like systeminfo, dir, run, delete, interval, upload, and download.

Registry Run key added to set up persistence

Peach Sandstorm, a cyber threat group, abused Azure resources to create a command-and-control (C2) infrastructure by using compromised accounts to create Azure tenants and subscriptions, then deployed Azure Web Apps as C2 nodes. 

These nodes, identified by domain names like subreviews.azurewebsites[.]net and satellite2.azurewebsites[.]net, were used to facilitate malicious activities, which are similar to those employed by other Iranian threat groups like Smoke Sandstorm.

The threat actors have been successfully compromising organizations in various sectors using customized tools.

After gaining initial access, they employ lateral movement techniques, such as SMB, to spread within the network. 

They also download and install remote monitoring and management tools, like AnyDesk, to maintain persistence and control.

In certain cases, they capture Active Directory snapshots to gather sensitive information and plan further attacks.

To mitigate Peach Sandstorm attacks, prioritize securing identity infrastructure by implementing conditional access policies, blocking legacy authentication, and enabling MFA. 

Strengthen password hygiene with least privilege practices, password protection, and identity protection.

Protect endpoints with cloud-delivered protection, real-time protection, and EDR in block mode. 

Download FreeIncident Response Plan Templatefor Your Security Team – Free Download

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Easily Bypass Active Directory Group Policy to Allow Vulnerable NTLMv1 Auth Protocol

Researchers have discovered a critical flaw in Active Directory’s NTLMv1 mitigation strategy, where misconfigured...

AWS Warns of Multiple Vulnerabilities in Amazon WorkSpaces, Amazon AppStream 2.0, & Amazon DCV

Amazon Web Services (AWS) has issued a critical security advisory highlighting vulnerabilities in specific...

FlowerStorm PaaS Platform Attacking Microsoft Users With Fake Login Pages

Rockstar2FA is a PaaS kit that mimics the legitimate credential-request behavior of cloud/SaaS platforms....

New Tool Unveiled to Scan Hacking Content on Telegram

A Russian software developer, aided by the National Technology Initiative, has introduced a groundbreaking...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Hackers Deploy Web Shell To Abuse IIS Worker And Exfiltrate Data

An attacker exploited a vulnerability in the batchupload.aspx and email_settings.aspx pages on the target...

New Botnet Exploiting DNS Records Misconfiguration To Deliver Malware

Botnets are the networks of compromised devices that have evolved significantly since the internet's...

Thousands of PHP-based Web Applications Exploited to Deploy Malware

A significant cybersecurity threat has emerged, threatening the integrity of thousands of PHP-based web...