Microsoft has released new intelligence claiming Iranian state-sponsored threat actor Peach Sandstorm is using a custom-built backdoor and password spraying attacks for intelligence operations on satellite communications.
The backdoor, named ‘Tickler’ by Microsoft Threat Intelligence, is a specialized multi-stage malware used to compromise target organizations, before moving laterally to gather intelligence using Server Message Block (SMB), remote monitoring and management (RMM) tools, and Active Directory (AD) snapshots.
Tickler has also been used to target oil and gas, and both state and federal level governments in the US and UAE.
Satellite Tickler
Microsoft’s Threat Intelligence team says Peach Sandstorm has been observed using password spraying attacks to compromise accounts belonging to target organizations in the education, defense, space, and government sectors.
By compromising accounts in the education sector, Peach Sandstorm would use newly created or existing Azure student subscriptions to host command-and-control (C2) infrastructure. Through this C2 infrastructure, the group would then target organizations within the government, defense and space sectors to gather intelligence on satellite communications equipment.
Two versions of Tickler have been identified by Microsoft. The first was found within a file named ‘Network Security.zip’ alongside a pair of decoy PDF documents. The actual Tickler malware used the same file name as one of the benign PDFs, but was actually an executable with the suffix ‘.pdf.exe’. When launched, the executable file collects network information from the host device by decrypting kernell32.dll, and sends this information to the C2 infrastructure.
The second version functions in exactly the same way as the first, but is also able to download additional malware from the C2 infrastructure to deploy on the host device, allowing for DLL sideloading to establish a backdoor, from which the attackers can run numerous commands to delete files, execute commands, and both download and upload files from the C2 infrastructure.
As an Iranian state-sponsored threat actor, Peach Sandstorm is likely to be operating on the behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC) to further the gathering of intelligence in line with Iranian state interests.
In order to mitigate the exploitation of Azure infrastructure by threat actors using compromised accounts, Microsoft began enforcing multi-factor authentication by default for all Azure administrators from July 2024, before rolling out MFA to all Azure accounts from October 2024.
More from TechRadar Pro
Services Marketplace – Listings, Bookings & Reviews