Microsoft has launched new intelligence claiming that Iranian state-sponsored threat actor Peach Sandstorm is using a custom backdoor and password spraying attacks for intelligence operations on satellite communications.
The backdoor, dubbed 'Tickler' by Microsoft Threat Intelligence, is a specialized, multi-stage system. Malicious program It is used to compromise target organizations, before moving laterally to gather intelligence through the use of Server Message Block (SMB), remote management and monitoring (RMM) tools, and Active Directory (AD) snapshots.
Tickler has also been used to attack oil and gas companies, and governments at both the state and federal level in the US and the UAE.
Satellite tickling
Microsoft's Threat Intelligence team says Peach Sandstorm has been observed using password spraying attacks to compromise accounts belonging to targeted organizations in the education, defense, space, and government sectors.
By compromising accounts in the education sector, Peach Sandstorm would use existing or already created Azure student subscriptions to host command and control (C2) infrastructure. Through this C2 infrastructure, the group would target organizations within the government, defense, and space sectors to gather information about satellite communications equipment.
Microsoft has identified two versions of Tickler. The first was found in an archive named 'Network Security.zip' along with a couple of fake PDF documents. The real Tickler malware used the same filename as one of the benign PDFs, but was actually an executable file with the suffix '.pdf.exe'. When run, the executable file gathers network information from the host device by decrypting kernell32.dll and sends this information to the C2 infrastructure.
The second version works exactly the same as the first, but can also download additional malware from the C2 infrastructure to deploy on the host device, allowing DLL side-loading to establish a backdoor, from which attackers can run numerous commands to delete files, execute commands, and download and upload files from the C2 infrastructure.
As an Iranian state-sponsored threat actor, Peach Sandstorm is likely operating on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC) to promote intelligence gathering in line with Iranian state interests.
To mitigate the exploitation of Azure infrastructure by threat actors using compromised accounts, Microsoft began implementing Multi-factor authentication by default for all Azure administrators from July 2024, before Implementing MFA for all Azure accounts from October 2024.
