Microsoft has released new intelligence claim that Iranian state-sponsored cybercriminal Peach Sandstorm is using a tailored backdoor and password spraying attack for intelligence operations on satellite communications.
The backdoor, dubbed “Tickler” by Microsoft Threat Intelligence, is a specialized multi-stage malicious software are used to compromise target organizations and then laterally gather information using Server Message Block (SMB), remote monitoring and management (RMM) tools, and Active Directory (AD) snapshots.
Tickler has also been used to target oil and gas, and to target both state and federal governments in the US and UAE.
Satellite Tickler
According to Microsoft’s Threat Intelligence team, Peach Sandstorm has been observed conducting password spray attacks to compromise accounts of organizations in the education, defense, aerospace, and government sectors.
By compromising accounts in the education sector, Peach Sandstorm would use newly created or existing Azure student subscriptions to host command-and-control (C2) infrastructure. Through this C2 infrastructure, the group would then target organizations within the government, defense, and aerospace sectors to gather intelligence on satellite communications equipment.
Microsoft has identified two versions of Tickler. The first was found in a file named “Network Security.zip” alongside a pair of fake PDF documents. The actual Tickler malware used the same filename as one of the benign PDFs, but was in fact an executable file with the suffix “.pdf.exe.” When launched, the executable collects network information from the host device by decrypting kernell32.dll and sends this information to the C2 infrastructure.
The second version works exactly the same as the first, but can also download additional malware from the C2 infrastructure to deploy to the host device. This allows DLL sideloading to create a backdoor, from which attackers can execute numerous commands to delete files, execute commands, and download and upload files from the C2 infrastructure.
As an Iranian state-sponsored threat actor, Peach Sandstorm likely operates on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC) to advance intelligence gathering in line with Iranian state interests.
To mitigate the exploitation of Azure infrastructure by malicious actors using compromised accounts, Microsoft has begun enforcing multi-factor authentication standard for all Azure administrators from July 2024, previously Roll out MFA to all Azure accounts from October 2024.