metamorworks - stock.adobe.com
Iranian APT Peach Sandstorm teases new Tickler malware
Peach Sandstorm, an Iranian state threat actor, has developed a dangerous new malware strain that forms a key element of a rapidly evolving attack sequence
Microsoft threat researchers have issued a warning after tracking the emergence of a novel, customised, multi-stage backdoor malware dubbed Tickler, which is being used against targets in the satellite, communications, oil and gas, and government sectors in the US and UAE.
Tickler appears to be being used by an Iran-backed advanced persistent threat (APT) actor, which Microsoft Threat Intelligence has dubbed Peach Sandstorm (aka APT33), likely a cyber unit operating on behalf of the Iranian Revolutionary Guard Corps (IGRC) – Mint Sandstorm (aka Charming Kitten), another IGRC-linked group, is suspected of being behind the recent hacking of Donald Trump’s election campaign.
The malware was deployed earlier this year, and its use represents a diversification of Peach Sandstorm’s attack methodology.
“Microsoft observed new tactics, techniques and procedures (TTPs) following initial access via password spray attacks or social engineering,” wrote the Microsoft research team.
“Between April and July 2024, Peach Sandstorm deployed a new custom multi-stage backdoor, Tickler, and leveraged Azure infrastructure hosted in fraudulent, attacker-controlled Azure subscriptions for command and control (C2).
“Microsoft continuously monitors Azure, along with all Microsoft products and services, to ensure compliance with our terms of service,” they said. “Microsoft has notified affected organisations and disrupted the fraudulent Azure infrastructure and accounts associated with this activity.”
Peach Sandstorm was already known for deploying successful password spraying attacks against its targets, having generally researched persons of interest via LinkedIn.
Password spraying
Its evolved attack chain still makes use of the password spraying technique, but in the Tickler campaign, this was used to access organisations in the education sector and hijack key accounts. Peach Sandstorm then used the accounts it had taken over to access existing Azure subscriptions or create them. It then used the illicitly procured Azure infrastructure as C2 or to hop to other targets, mainly in the defence, government and space sectors.
Microsoft said recent security updates to Azure should have made such accounts more resistant to these tactics, although evidently not soon enough to prevent this campaign.
What does Tickler do?
Tickler was designed to play a key role in this procurement process by enabling Peach Sandstorm to gain a foothold in their target networks.
So far, Microsoft has identified two distinct Tickler samples. The first of these is used to collect network information from the host system and send it to the C2 Uniform Resource Identifier (URI) via an HTTP POST request. This probably serves to help Peach Sandstorm get oriented on the compromised network.
The second iteration improves on the first, adding Trojan dropper functionality to download payloads from the C2 server, including a backdoor, a batch script to enable persistence for the backdoor, and some legitimate files used for dynamic link library (DLL) sideloading.
Microsoft said Peach Sandstorm had compromised several organisations in this way with various endgame objectives – including the use of Server Message Block (SMB) to move laterally and elevate their control, the downloading and installing of remote monitoring and management (RMM) tools to snoop on their targets, and taking Active Directory (AD) snapshots to exploit in further attacks.
Beat the Peach
Microsoft’s write-up set out several steps defenders in at-risk organisations should now be taking. These include:
- To reset credentials on any accounts targeted with a password spraying attacks, and revoke their session cookies and any changes that may have been made on the accounts, such as to MFA settings;
- To enable MFA challenges for MFA setting changes, and improve credential hygiene in general, such as by implementing least privilege protocols and engaging enhanced protections available in Microsoft Entra;
- To implement Azure Security Benchmark and other best practices, set out here.
More guidance is available from Microsoft.
Read more about Iranian threat activity
- Israel’s cyber chief has called for international action against Iran over state-backed hacking.
- Threat actors from China, Iran, North Korea and Russia have all been probing use cases for generative AI service ChatGPT, but have yet to use such tools in a full-blown cyber attack.
- Microsoft has shared new intelligence on how Iranian government-aligned threat actors have turned their fire on Israel since the 7 October attacks.