Microsoft has identified a new Iranian state-sponsored threat actor, Peach Sandstorm, deploying a custom multi-stage backdoor named Tickler.
This backdoor has been used to target various sectors, including satellite, communications equipment, oil and gas, and government, in the United States and the United Arab Emirates. Peach Sandstorm has also engaged in password spray attacks and intelligence gathering activities on LinkedIn.
Microsoft assesses that this threat actor operates on behalf of the Iranian Islamic Revolutionary Guard Corps and is designed to support Iranian state interests by sharing this information to raise awareness and help organizations strengthen their defenses against such threats.
Peach Sandstorm, a threat actor known for password spray attacks and LinkedIn-based intelligence gathering, has recently evolved its tactics by deploying a new custom backdoor, Tickler, and utilizing fraudulent Azure subscriptions for command and control.
It was observed between April and July 2024, which highlights the group’s adaptability and ongoing efforts to evade detection by identifying and disrupting the malicious Azure infrastructure involved in these operations, protecting affected organizations.
Peach Sandstorm is conducting intelligence gathering on LinkedIn using fake profiles and password spray attacks targeting various sectors.
The group leveraged compromised accounts to gain access to Azure infrastructure and conduct further attacks, while Microsoft has implemented security measures like multi-factor authentication to mitigate such threats.
It deployed Tickler, a custom multi-stage backdoor, in compromised environments, which is a 64-bit PE file that collects network information and sends it to a C2 server.
The second Tickler sample, sold.dll, is a Trojan dropper that downloads additional payloads, including a backdoor and legitimate files for DLL sideloading, which can run commands like systeminfo, dir, run, delete, interval, upload, and download.
Peach Sandstorm, a cyber threat group, abused Azure resources to create a command-and-control (C2) infrastructure by using compromised accounts to create Azure tenants and subscriptions, then deployed Azure Web Apps as C2 nodes.
These nodes, identified by domain names like subreviews.azurewebsites[.]net and satellite2.azurewebsites[.]net, were used to facilitate malicious activities, which are similar to those employed by other Iranian threat groups like Smoke Sandstorm.
The threat actors have been successfully compromising organizations in various sectors using customized tools.
After gaining initial access, they employ lateral movement techniques, such as SMB, to spread within the network.
They also download and install remote monitoring and management tools, like AnyDesk, to maintain persistence and control.
In certain cases, they capture Active Directory snapshots to gather sensitive information and plan further attacks.
To mitigate Peach Sandstorm attacks, prioritize securing identity infrastructure by implementing conditional access policies, blocking legacy authentication, and enabling MFA.
Strengthen password hygiene with least privilege practices, password protection, and identity protection.
Protect endpoints with cloud-delivered protection, real-time protection, and EDR in block mode.
Download FreeIncident Response Plan Templatefor Your Security Team – Free Download
