Microsoft identified a new custom multi-stage backdoor, “Tickler,” deployed by the Iranian state-sponsored threat actor Peach Sandstorm between April and July 2024.
Targeting sectors like satellite, communications equipment, oil and gas, and government, Tickler has been used to gather intelligence.
Peach Sandstorm also conducted password spray attacks on educational and government sectors.
The group employed social engineering techniques on LinkedIn to target higher education, satellite, and defense organizations, while Microsoft assesses Peach Sandstorm’s operations are aligned with the Iranian IRGC’s interests and aims to facilitate intelligence collection.
Peach Sandstorm, a cyber threat actor known for its password spray attacks and LinkedIn-based intelligence gathering, has evolved its tactics; recently, it deployed a new custom backdoor called Tickler and used fraudulent Azure subscriptions for command-and-control.
It highlights the group’s adaptability and underscores the importance of continuous monitoring and threat detection to mitigate evolving cyber threats, while proactive steps have been taken to disrupt the group’s infrastructure and notify affected organizations.
A threat actor group, conducting intelligence gathering and social engineering campaigns on LinkedIn from November 2021 to mid-2024 by using fake LinkedIn profiles to target higher education, satellite, and related industries.
They carried out password spray attacks against various organizations, compromising accounts and using them to access Azure infrastructure for further operations by targeting sectors like defense, space, education, and government in the US and Australia.
The APT group Peach Sandstorm used a custom multi-stage backdoor called Tickler to compromise target networks, which disguised itself as a security guide and collected network information before loading a legitimate PDF as a decoy.
An improved version, sold.dll, downloaded additional payloads, including a backdoor, persistence script, and legitimate DLLs likely for sideloading.
It then added a registry key to ensure its persistence and offered functionalities like system information gathering, directory listing, command execution, file deletion, and file transfer with the C2 server.
Peach Sandstorm, a malicious group, abused Azure resources by creating multiple tenants and subscriptions using compromised user accounts and then deployed C2 nodes, identified as Tickler, on these Azure resources, which were used to control a backdoor, likely for malicious activities.
The group’s tactics align with those used by other Iranian groups like Smoke Sandstorm, who have been observed employing similar techniques in recent months.
It has been compromising organizations and moving laterally within their networks by using SMB to hop between systems and download and install remote monitoring and management tools like AnyDesk for persistence and control.
According to Microsoft, they have been known to take snapshots of Active Directory databases, potentially using them for reconnaissance or further compromise.
To mitigate Peach Sandstorm attacks, implement robust identity protection measures, including MFA, conditional access, and password protection.
Strengthen endpoint security with cloud-delivered protection, real-time protection, and EDR. Protect networks with anomaly detection, web protection, and tamper protection.
https://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/.
Download FreeIncident Response Plan Template
for Your Security Team – Free Download