Threat Research

Peach Sandstorm Unveils New Custom Tickler Malware in Ongoing Intelligence-Gathering Campaigns | Microsoft Security Blog

Securonix

Microsoft links Peach Sandstorm, an Iranian state-sponsored actor, to a new multi-stage backdoor named Tickler used against satellite, communications, oil and gas, and government sectors in the US and UAE between April and July 2024. The campaign also involved password spray and intelligence gathering via LinkedIn, with Microsoft disrupting the attacker-controlled Azure infrastructure and notifying affected organizations.

Keypoints

  • Peach Sandstorm is an Iranian state-sponsored threat actor linked to the IRGC.
  • Deployment of a new multi-stage backdoor called Tickler observed between April and July 2024.
  • Targets include satellite, communications, oil and gas, and government sectors in the US and UAE.
  • Continued use of password spray attacks against the educational sector and other critical industries.
  • Intelligence gathering and social engineering activities conducted via LinkedIn.
  • Tickler malware collects network information and uses Azure infrastructure for command-and-control.
  • Mitigations recommended include resetting passwords, enforcing MFA, and implementing Azure Security Benchmark.

MITRE Techniques

  • [T1110.001] Password Spraying – Credential access via password spray to gain access to accounts. ‘Password spray attacks to gain access to accounts.’
  • [T1204.002] User Execution – Malicious file delivered via a decoy PDF file. ‘The archive file contained: YAHSAT NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20240421.pdf.exe – theTickler malware’
  • [T1547.001] Registry Run Keys/Startup Folder – Batch script adds a registry Run key for persistence. ‘The batch script adds a registry Run key for a file called SharePoint.exe, likely used to load the malicious DLL files above, thus setting up persistence.’
  • [T1071.001] Web Protocols – Tickler uses HTTP POST requests to communicate with C2. ‘Tickler uses HTTP POST requests to communicate with C2.’
  • [T1041] Exfiltration Over C2 Channel – Exfiltration of data to the C2 channel. ‘Sending collected network information to C2.’
  • [T1021.002] SMB/Windows Admin Shares – Lateral movement via SMB protocol. ‘Lateral movement via SMB protocol.’

Indicators of Compromise

  • [Domain] C2/attack domains – subreviews.azurewebsites.net, satellite2.azurewebsites.net, nodetestservers.azurewebsites.net, and 13 more domains
  • [File hash] Tickler-related file hashes – 7eb2e9e8cd450fc353323fd2e8b84fbbdfe061a8441fd71750250752c577d198, cb617cc7418a3b22179e00d21db26754666979b4c4f34c7fda8c0082d08cec4, and 3 more hashes
  • [File name] Tickler/related binaries – YAHSAT NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20240421.pdf.exe, Sold.dll, and 3 more binaries

Read more: https://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint