Iranian State-Backed Group Deploys Custom Malware in Ongoing Intelligence Operations
The group targeted sectors including satellite, communications, oil and gas, as well as federal and state governments in the United States and the UAE between April and July 2024. This activity represents a significant evolution in Peach Sandstorm’s ongoing intelligence-gathering operations.
Introduction
On August 28, 2024, Microsoft released a detailed report on Peach Sandstorm, an Iranian state-sponsored threat actor that deployed a new custom malware named Tickler. Between April and July 2024, the group targeted sectors including satellite, communications, oil and gas, and federal and state governments in the United States and the UAE. This activity represents a significant evolution in Peach Sandstorm's ongoing intelligence-gathering operations.
Report Overview
Peach Sandstorm, attributed to the Iranian Islamic Revolutionary Guard Corps (IRGC), has been active since at least November 2021. It focuses on intelligence collection through password spray attacks and LinkedIn-based social engineering. The recent discovery of Tickler marks a new phase in their cyber operations, emphasizing their commitment to enhancing their offensive capabilities.
The Tickler malware, a multi-stage backdoor, was initially deployed through compromised Azure infrastructure in April 2024. The malware was distributed in an archive named "Network Security.zip," containing both benign PDF files and the malicious executable YAHSAT NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20240421.pdf.exe. Upon execution, Tickler collects network information from the host and communicates with the command-and-control (C2) servers hosted on fraudulent Azure subscriptions.
Subsequent samples of Tickler showed refinements, including the ability to download additional payloads such as backdoors and persistence mechanisms. The threat actor used DLL sideloading techniques, leveraging legitimate Windows binaries like msvcp140.dll and Microsoft.SharePoint.NativeMessaging.exe, to evade detection.
The deployment of Tickler across critical sectors poses severe risks, potentially exposing sensitive information and disrupting essential services. Using compromised educational sector accounts to procure operational infrastructure highlights the threat actor's strategic approach to resource acquisition and the broader implications for global cybersecurity.
Insights and Analysis
Peach Sandstorm's deployment of Tickler reflects their ongoing efforts to enhance their intelligence-gathering operations, leveraging advanced malware and sophisticated attack vectors. The discovery of this new threat emphasizes the critical need for robust security measures to protect against state-sponsored cyber threats.
Microsoft has directly notified affected organizations and disrupted the fraudulent Azure infrastructure associated with this campaign. Peach Sandstorm's continuous evolution of tactics, techniques, and procedures (TTPs) underscores the importance of vigilance and proactive defence measures within targeted industries.
Organizations are advised to reset passwords for any accounts targeted during the observed password spray attacks, revoke session cookies, and enforce multi-factor authentication (MFA). Implementing Azure Security Benchmark best practices and blocking legacy authentication methods can significantly reduce the risk of similar attacks.
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
| subreviews.azurewebsites[.]net | Domain | C2 server used by Peach Sandstorm. |
| satellite2.azurewebsites[.]net | Domain | C2 server used by Peach Sandstorm. |
| nodetestservers.azurewebsites[.]net | Domain | C2 server used by Peach Sandstorm. |
| YAHSAT NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20240421.pdf.exe | File (SHA-256: 7eb2e9e8cd450fc353323fd2e8b84fbbdfe061a8441fd71750250752c577d198) | Executable file containing Tickler malware. |
| sold.dll | File (SHA-256: ccb617cc7418a3b22179e00d21db26754666979b4c4f34c7fda8c0082d08cec4) | Malicious DLL file used in Tickler malware. |
| msvcp140.dll | File | Legitimate Windows binary used for DLL sideloading by Tickler malware. |
| LoggingPlatform.dll | File | Legitimate Windows binary used for DLL sideloading by Tickler malware. |
| vcruntime140.dll | File | Legitimate Windows binary used for DLL sideloading by Tickler malware. |
| Microsoft.SharePoint.NativeMessaging.exe | File | Legitimate Windows binary used for DLL sideloading by Tickler malware. |
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Valid Accounts | T1078 | Peach Sandstorm used password spray attacks to gain access to accounts. |
| Execution | User Execution | T1204 | Tickler malware was executed via a malicious executable. |
| Persistence | Create or Modify System Process | T1543 | Malicious DLL sideloading was used to maintain persistence. |
| Command and Control | Application Layer Protocol | T1071 | C2 communication using HTTP POST requests to the compromised Azure domains. |
| Defense Evasion | DLL Side-Loading | T1574.002 | Legitimate binaries were used to sideload malicious DLLs. |
| Credential Access | Password Spraying | T1110.003 | Password spray attacks were observed against various sectors. |
References
Comments ()