Peach Sandstorm, an allegedly Iran-sponsored hacking group, has developed a new custom multi-stage backdoor to infiltrate its targets in cyber espionage operations.
Microsoft Threat Intelligence, which detected the new malware, called it Tickler.
Tickler has been used in attacks against targets in the satellite, communications equipment, oil and gas as well as federal and state government sectors in the US and the United Arab Emirates.
Uncovering Tickler’s Infection Chain
Microsoft Threat Intelligence has identified two samples of the Tickler malware that Peach Sandstorm deployed in compromised environments between April and July 2024.
The first sample was contained in an archive file named Network Security.zip alongside legitimate PDF files used as decoy documents.
The second Tickler sample, sold.dll, is a Trojan dropper functionally identical to the previously identified sample.
Once executed, both samples gather network information from the infected machine and send it to a command and control (C2) server, potentially helping the attackers understand the compromised network layout.
Microsoft observed Peach Sandstorm creating Azure tenants using Microsoft Outlook email accounts and creating Azure for Students subscriptions in these tenants.
Additionally, the group leveraged compromised user accounts in the Azure tenants of organizations in the education sector to do the same. Within these subscriptions, Peach Sandstorm subsequently created Azure resources for use as C2 for the backdoor.
A similar tactic was used in the past by other Iranian threat groups, including Smoke Sandstorm.
Peach Sandstorm’s Techniques, Tactics and Procedures
Perach Sandstorm is a cyber espionage group that has been active since at least 2013. Microsoft believes it operates on behalf of the Iranian Islamic Revolutionary Guard Corps (RGC).
In previous campaigns, Peach Sandstorm has used several techniques, including intelligence gathering via LinkedIn and password spray attacks to gain access to targets of interest.
Once Peach Sandstorm gains access to an organization, the threat actor is known to perform lateral movement and actions on objectives using the following techniques:
- Moving laterally via Server Message Block (SMB)
- Downloading and installing a remote monitoring and management (RMM) tool
- Taking a Microsoft Active Directory (AD) snapshot
According to Microsoft, the use of a custom backdoor is consistent with the threat actor’s persistent intelligence-gathering objectives and represents the latest evolution of their longstanding cyber operations.
Microsoft’s Mitigation Recommendations
In its Tickler analysis, Microsoft Threat Intelligence provided a list of recommendations to mitigate attacks using Peach Sandstorm’s techniques, tactics and procedures.
These include:
- Resetting account passwords for any accounts targeted during a password spray attack
- Revoking session cookies in addition to resetting passwords
- Revoke any multifactor authentication (MFA) setting changes made by the attacker on any compromised users’ accounts
- Requiring re-challenging MFA for MFA updates as the default
- Implementing the Azure Security Benchmark and general best practices for securing identity infrastructure
- Secure accounts with credential hygiene (e.g. principle of least privilege)
- Deploying Microsoft Entra Connect Health for Active Directory Federation Services (AD FS)
- Turning on identity protection in Microsoft Entra to monitor for identity-based risks and create policies for risky sign-ins
- Securing Remote Desktop Protocol (RDP) or Windows Virtual Desktop endpoints with MFA to harden against password spray or brute force attacks
Read more: Iran Behind Trump Campaign Hack, US Government Confirms