{"id":25129,"date":"2024-09-12T09:01:02","date_gmt":"2024-09-12T17:01:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/09\/12\/news-18859\/"},"modified":"2024-09-12T09:01:02","modified_gmt":"2024-09-12T17:01:02","slug":"news-18859","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2024\/09\/12\/news-18859\/","title":{"rendered":"Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations"},"content":{"rendered":"

Credit to Author: Microsoft Threat Intelligence| Date: Wed, 28 Aug 2024 15:00:00 +0000<\/strong><\/p>\n

Between April and July 2024, Microsoft observed Iranian state-sponsored threat actor Peach Sandstorm deploying a new custom multi-stage backdoor, which we named Tickler. Tickler has been used in attacks against targets in the satellite, communications equipment, oil and gas, as well as federal and state government sectors in the United States and the United Arab Emirates. This activity is consistent with the threat actor\u2019s persistent intelligence gathering objectives and represents the latest evolution of their long-standing cyber operations.<\/p>\n

Peach Sandstorm also continued conducting password spray attacks<\/a> against the educational sector for infrastructure procurement and against the satellite, government, and defense sectors as primary targets for intelligence collection. In addition, Microsoft observed intelligence gathering and possible social engineering targeting organizations within the higher education, satellite, and defense sectors via the professional networking platform LinkedIn.<\/p>\n

Microsoft assesses that Peach Sandstorm operates on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC) based on the group\u2019s victimology and operational focus. Microsoft further assesses that Peach Sandstorm\u2019s operations are designed to facilitate intelligence collection in support of Iranian state interests.<\/p>\n

Microsoft tracks Peach Sandstorm campaigns and directly notifies customers who we observe have been targeted or compromised, providing them with the necessary information to help secure their environment. As part of our continuous monitoring, analysis, and reporting on the threat landscape, we are sharing our research on Peach Sandstorm\u2019s use of Tickler to raise awareness of this threat actor\u2019s evolving tradecraft and to educate organizations on how to harden their attack surfaces against this and similar activity. Microsoft published information on unrelated election interference linked to Iran in the most recent Microsoft Threat Analysis Center (MTAC) report<\/a>.<\/p>\n

Evolution of Peach Sandstorm tradecraft<\/h2>\n

In past campaigns, Peach Sandstorm has been observed to use password spray attacks to gain access to targets of interest with a high level of success. The threat actor has also conducted intelligence gathering via LinkedIn, researching organizations and individuals employed in the higher education, satellite, and defense sectors.<\/p>\n

During the group\u2019s latest operations, Microsoft observed new tactics, techniques, and procedures (TTPs) following initial access via password spray attacks or social engineering. Between April and July 2024, Peach Sandstorm deployed a new custom multi-stage backdoor, Tickler, and leveraged Azure infrastructure hosted in fraudulent, attacker-controlled Azure subscriptions for command-and-control (C2). Microsoft continuously monitors Azure, along with all Microsoft products and services, to ensure compliance with our terms of service. Microsoft has notified affected organizations and disrupted the fraudulent Azure infrastructure and accounts associated with this activity.<\/p>\n

\"A
Figure 1. Peach Sandstorm attack chain<\/figcaption><\/figure>\n

Intelligence gathering on LinkedIn<\/h3>\n

Going back to at least November 2021 and continuing through mid-2024, Microsoft observed Peach Sandstorm using multiple LinkedIn profiles masquerading as students, developers, and talent acquisition managers based in the US and Western Europe. Peach Sandstorm primarily used them to conduct intelligence gathering and possible social engineering against the higher education, satellite sectors, and related industries. The identified LinkedIn accounts were subsequently taken down. Information on LinkedIn\u2019s policies and actions against inauthentic behavior on its platform is available here<\/a>.<\/p>\n

Password spray attacks as a common attack vector<\/h3>\n

Since at least February 2023, Microsoft has observed Peach Sandstorm carrying out password spray activity against thousands of organizations. In password spray attacks, threat actors attempt to authenticate to many different accounts using a single password or a list of commonly used passwords. In contrast to brute force attacks, which target a single account using many passwords, password spray attacks help adversaries maximize their chances for success and minimize the likelihood of automatic account lockouts.<\/p>\n

Microsoft has observed that once Peach Sandstorm has verified a target account\u2019s credentials using the password spray technique, the threat actor performed subsequent sign-ins to the compromised accounts from commercial VPN infrastructure.<\/p>\n

In April and May 2024, Microsoft observed Peach Sandstorm conducting password spray attacks targeting organizations in the defense, space, education, and government sectors in the US and Australia. In particular, Peach Sandstorm continued to use the \u201cgo-http-client\u201d<\/em> user agent that they are known to leverage in password spray campaigns. While the password spray activity appeared consistently across sectors, Microsoft observed Peach Sandstorm exclusively leveraging compromised user accounts in the education sector to procure operational infrastructure. In these cases, the threat actor accessed existing Azure subscriptions or created one using the compromised account to host their infrastructure. The attacker-controlled Azure infrastructure then served as C2 or operational hops for Peach Sandstorm operations targeting the government, defense, and space sectors. Recent updates to security defaults in Azure<\/a>, such as multi-factor authentication help ensure that Azure accounts are more resistant to account compromise techniques such as those used by Peach Sandstorm.<\/p>\n

Tickler malware<\/h3>\n

Microsoft Threat Intelligence identified two samples of the Tickler malware, a custom multi-stage backdoor, that Peach Sandstorm deployed in compromised environments as recently as July 2024. The first sample was contained in an archive file named Network Security.zip<\/em> alongside benign PDF files used as decoy documents. The archive file contained:<\/p>\n