Cybersecurity researchers at Microsoft recently discovered that Peach Sandstorm, a state-sponsored threat actor affiliated with the IRGC, added Tickler, a new multistage backdoor, to their arsenal between April and July 2024.
The threat actors attack satellite devices because they are vital for modern facilities, such as military and global communications.
The perpetrators of such attacks can take advantage of satellite systems by compromising them, which disrupts communication and data breaches, as well as affects navigation and timing information.
This custom malware hit Satellite, communication, oil or gas, and government industries across the US and UAE.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial
Technical Analysis
At the same time, Peach Sandstorm, impersonating the ‘go-http-client’ user agent, was performing password spray attacks against thousands of organizations, mainly in the defense, space, education, and government sectors in the US and Australia.
The group also conducted intelligence gathering through LinkedIn using fake Russian and Western profiles in order to contact American and Western Europeans to create business proposals for them.
After a depth of compromise, they also used fake Azure subscriptions for additional C&C services.
Microsoft noted this activity within many sectors and the company contact directly those customers who were compromised.
Two samples of Tickler malware were identified by the Microsoft Threat Intelligence that were deployed in July 2024 by Peach Sandstorm.
The first sample was disguised as a PDF, which is a 64-bit C/C++ PE file that used PEB traversal to locate the “kernell32.dll.” This sample also gathered network data and sent it to a C2 server through HTTP POST.
The second sample of the Tickler Malware, sold.dll, downloaded additional payloads including legitimate Windows binaries (msvcp140.dll, LoggingPlatform.dll, vcruntime140.dll, Microsoft.SharePoint.NativeMessaging.exe) for DLL sideloading, and malicious DLLs capable of executing various commands like systeminfo, dir, run, delete, upload, download.
Peach Sandstorm established C2 infrastructure by creating Azure tenants with student subscriptions, both through new accounts and by compromising existing educational sector accounts.
They set up multiple azurewebsites[.]net domains as C2 nodes, a tactic also observed with other Iranian groups like Smoke Sandstorm.
Peach Sandstorm post-compromise activities include:-
- Lateral SMB movement in a European defense organization.
- AnyDesk installation attempt after a password spray on a pharma company.
- AD snapshot capture via malicious ZIP on Microsoft Teams in a Middle East satellite operator.
These techniques allow Peach Sandstorm to expand access, maintain persistence, and gather sensitive data in compromised networks.
Mitigations
Here below we have mentioned all the mitigations:-
- Reset passwords, revoke session cookies, and undo attacker MFA changes.
- Implement Azure Security Benchmark, block legacy authentication, and enforce MFA.
- Secure accounts with the least privilege, monitor with Entra Connect Health, and use password protection.
- Enable cloud and real-time protection, EDR block mode, and tamper protection.
- Educate users on sign-in security and transition to passwordless authentication.
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!