Microsoft has published information on a highly concerning malware campaign being carried out by suspected Iranian state-backed threat group, Peach Sandstorm.
Between April and July 2024, Microsoft’s threat intelligence arm observed the collective deploying a newly developed custom multi-stage backdoor, which it has dubbed Tickler.
The malware has been used to target businesses operating in the satellite, communications equipment, oil and gas, and government sectors in the US and UAE.
Microsoft analyzed two samples of the malware that were deployed in compromised environments as recently as July 2024. The first of which was found in an archive file named Network Security.zip hidden amongst numerous benign PDF files.
The malware collects network information from the host environment and passes it back to the attacker's C2 URI via a HTTP POST request, which Microsoft speculated was to help the attacker orient themselves on the network.
Microsoft observed the group iterating and improving on the initial malware sample, with a second iteration, sold.dll, described as a Trojan dropper.
Functionally identical to the original version, the second sample downloads additional paloads from the C2 server, including a backdoor, a batch script to ensure the backdoor is persistent on the network.
The malware also downloads a series of legitimate files, likely used for DLL sideloading purposes, according to the report.
Microsoft added that the group had leveraged Azure infrastructure in fraudulent, attacker-controlled Azure subscriptions for command-and-control. This included creating Azure tenants using Outlook email accounts and generating Azure for Student subscriptions using these tenants.
The report noted other Iranian hacking groups, including Smoke Sandstorm, had been observed using similar techniques in recent months.
Peach Sandstorm continues password spraying campaign to gain initial access
Microsoft has tracked Peach Sandstorm’s activity intently in recent years, noting the organization has demonstrated an interest in organizations in the defense, communications, and healthcare industries.
The group’s previous campaigns relied on password spraying attacks as an initial access vector, employing the technique since at least February 2023 according to the report.
The latest update from Microsoft stated the operation has continued to leverage this technique against organizations in the educational sector for “infrastructure procurement”, as well as the satellite, government, and defense sector for intelligence collection – the group’s primary objective.
Peach Sandstorm has also been observed deploying social engineering attacks in order to gain initial access.
Going back to at least November 2021, Microsoft tracked the group using multiple fake LinkedIn profiles, purporting to be students, developers and talent acquisition managers based in the US and Western Europe.
“Peach Sandstorm primarily used them to conduct intelligence gathering and possible social engineering against the higher education, satellite sectors, and related industries,” the report added.
Microsoft said the identified LinkedIn accounts were reported to the social network and were subsequently removed from the platform.
Once Peach Sandstorm gains access to an organization’s environment, the group is known to perform lateral movement techniques.
For example, Microsoft referred to a recent incident where, after compromising a European defense organization, the group moved laterally via the server message block (SMB) protocol. SMB is described as a lateral movement technique used to move between compromised devices on a network.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
So long, Defender VPN: Microsoft is scrapping the free-to-use privacy tool over low uptakeNews Defender VPN, Microsoft's free virtual private network, is set for the scrapheap, so you might want to think about alternative services.
-
Hackers are on a huge Microsoft 365 password spraying spree – here’s what you need to knowNews A botnet made up of 130,000 compromised devices has been conducting a huge password spraying campaign targeting Microsoft 365 accounts.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Microsoft is increasing payouts for its Copilot bug bounty programNews Microsoft has expanded the bug bounty program for its Copilot lineup, boosting payouts and adding coverage of WhatsApp and Telegram tools.
-
Hackers are using this new phishing technique to bypass MFANews Microsoft has warned that a threat group known as Storm-2372 has altered its tactics using a specific ‘device code phishing’ technique to bypass MFA and steal access tokens.
-
A new phishing campaign is exploiting Microsoft’s legacy ADFS identity solution to steal credentials and bypass MFANews Researchers at Abnormal Security have warned of a new phishing campaign targeting Microsoft's Active Directory Federation Services (ADFS) secure access system.
-
Hackers are using Microsoft Teams to conduct “email bombing” attacksNews Experts told ITPro that tactics like this are on the rise, and employees must be trained effectively
-
Microsoft files suit against threat actors abusing AI services
News Cyber criminals are accused of using stolen credentials for an illegal hacking as a service operation
