Saturday, September 7, 2024
HomeCyber AttackNew Custom Malware "Tickler" Attack Satellite Devices

New Custom Malware “Tickler” Attack Satellite Devices

Published on

Microsoft identified a new custom multi-stage backdoor, “Tickler,” deployed by the Iranian state-sponsored threat actor Peach Sandstorm between April and July 2024. 

Targeting sectors like satellite, communications equipment, oil and gas, and government, Tickler has been used to gather intelligence.

Peach Sandstorm also conducted password spray attacks on educational and government sectors. 

- Advertisement - EHA

The group employed social engineering techniques on LinkedIn to target higher education, satellite, and defense organizations, while Microsoft assesses Peach Sandstorm’s operations are aligned with the Iranian IRGC’s interests and aims to facilitate intelligence collection.

Peach Sandstorm attack chain

Peach Sandstorm, a cyber threat actor known for its password spray attacks and LinkedIn-based intelligence gathering, has evolved its tactics; recently, it deployed a new custom backdoor called Tickler and used fraudulent Azure subscriptions for command-and-control. 

It highlights the group’s adaptability and underscores the importance of continuous monitoring and threat detection to mitigate evolving cyber threats, while proactive steps have been taken to disrupt the group’s infrastructure and notify affected organizations.

A threat actor group, conducting intelligence gathering and social engineering campaigns on LinkedIn from November 2021 to mid-2024 by using fake LinkedIn profiles to target higher education, satellite, and related industries. 

They carried out password spray attacks against various organizations, compromising accounts and using them to access Azure infrastructure for further operations by targeting sectors like defense, space, education, and government in the US and Australia.

Network information collected by Tickler after deployment on target host

The APT group Peach Sandstorm used a custom multi-stage backdoor called Tickler to compromise target networks, which disguised itself as a security guide and collected network information before loading a legitimate PDF as a decoy. 

An improved version, sold.dll, downloaded additional payloads, including a backdoor, persistence script, and legitimate DLLs likely for sideloading.

It then added a registry key to ensure its persistence and offered functionalities like system information gathering, directory listing, command execution, file deletion, and file transfer with the C2 server. 

Registry Run key added to set up persistence

Peach Sandstorm, a malicious group, abused Azure resources by creating multiple tenants and subscriptions using compromised user accounts and then deployed C2 nodes, identified as Tickler, on these Azure resources, which were used to control a backdoor, likely for malicious activities. 

The group’s tactics align with those used by other Iranian groups like Smoke Sandstorm, who have been observed employing similar techniques in recent months.

It has been compromising organizations and moving laterally within their networks by using SMB to hop between systems and download and install remote monitoring and management tools like AnyDesk for persistence and control. 

According to Microsoft, they have been known to take snapshots of Active Directory databases, potentially using them for reconnaissance or further compromise.

To mitigate Peach Sandstorm attacks, implement robust identity protection measures, including MFA, conditional access, and password protection.

Strengthen endpoint security with cloud-delivered protection, real-time protection, and EDR. Protect networks with anomaly detection, web protection, and tamper protection. 

https://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/.

Download FreeIncident Response Plan Templatefor Your Security Team – Free Download

Kaaviya
Kaaviya
Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

Latest articles

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

NoiseAttack is a Novel Backdoor That Uses Power Spectral Density For Evasion

NoiseAttack is a new method of secretly attacking deep learning models. It uses triggers...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...