Thursday, December 5, 2024
HomeCyber AttackNew Custom Malware "Tickler" Attack Satellite Devices

New Custom Malware “Tickler” Attack Satellite Devices

Published on

SIEM as a Service

Microsoft identified a new custom multi-stage backdoor, “Tickler,” deployed by the Iranian state-sponsored threat actor Peach Sandstorm between April and July 2024. 

Targeting sectors like satellite, communications equipment, oil and gas, and government, Tickler has been used to gather intelligence.

Peach Sandstorm also conducted password spray attacks on educational and government sectors. 

- Advertisement - SIEM as a Service

The group employed social engineering techniques on LinkedIn to target higher education, satellite, and defense organizations, while Microsoft assesses Peach Sandstorm’s operations are aligned with the Iranian IRGC’s interests and aims to facilitate intelligence collection.

Peach Sandstorm attack chain

Peach Sandstorm, a cyber threat actor known for its password spray attacks and LinkedIn-based intelligence gathering, has evolved its tactics; recently, it deployed a new custom backdoor called Tickler and used fraudulent Azure subscriptions for command-and-control. 

It highlights the group’s adaptability and underscores the importance of continuous monitoring and threat detection to mitigate evolving cyber threats, while proactive steps have been taken to disrupt the group’s infrastructure and notify affected organizations.

A threat actor group, conducting intelligence gathering and social engineering campaigns on LinkedIn from November 2021 to mid-2024 by using fake LinkedIn profiles to target higher education, satellite, and related industries. 

They carried out password spray attacks against various organizations, compromising accounts and using them to access Azure infrastructure for further operations by targeting sectors like defense, space, education, and government in the US and Australia.

Network information collected by Tickler after deployment on target host

The APT group Peach Sandstorm used a custom multi-stage backdoor called Tickler to compromise target networks, which disguised itself as a security guide and collected network information before loading a legitimate PDF as a decoy. 

An improved version, sold.dll, downloaded additional payloads, including a backdoor, persistence script, and legitimate DLLs likely for sideloading.

It then added a registry key to ensure its persistence and offered functionalities like system information gathering, directory listing, command execution, file deletion, and file transfer with the C2 server. 

Registry Run key added to set up persistence

Peach Sandstorm, a malicious group, abused Azure resources by creating multiple tenants and subscriptions using compromised user accounts and then deployed C2 nodes, identified as Tickler, on these Azure resources, which were used to control a backdoor, likely for malicious activities. 

The group’s tactics align with those used by other Iranian groups like Smoke Sandstorm, who have been observed employing similar techniques in recent months.

It has been compromising organizations and moving laterally within their networks by using SMB to hop between systems and download and install remote monitoring and management tools like AnyDesk for persistence and control. 

According to Microsoft, they have been known to take snapshots of Active Directory databases, potentially using them for reconnaissance or further compromise.

To mitigate Peach Sandstorm attacks, implement robust identity protection measures, including MFA, conditional access, and password protection.

Strengthen endpoint security with cloud-delivered protection, real-time protection, and EDR. Protect networks with anomaly detection, web protection, and tamper protection. 

https://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/.

Download FreeIncident Response Plan Templatefor Your Security Team – Free Download

Kaaviya
Kaaviya
Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

Latest articles

One Identity Named Winner of the Coveted Top InfoSec Innovator Awards for 2024

One Identity named Hot Company: Privileged Access Management (PAM) in 12th Cyber Defense Magazine’s...

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

One Identity Named Winner of the Coveted Top InfoSec Innovator Awards for 2024

One Identity named Hot Company: Privileged Access Management (PAM) in 12th Cyber Defense Magazine’s...

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...