SecuriTricks - Attack Report

External References

https://www.microsoft.com/

https://otx.alienvault.com/

Description

Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandstorm also conducted password spray attacks against educational institutions and other sectors. The group used LinkedIn profiles for intelligence gathering and social engineering. Tickler malware collects network information and can execute various commands. Peach Sandstorm abused Azure resources for command and control infrastructure. Post-compromise activities included lateral movement via SMB, installing remote monitoring tools, and taking Active Directory snapshots.

Date

Published	Created	Modified
Aug. 30, 2024, 5:46 p.m.	Aug. 30, 2024, 5:46 p.m.	Aug. 30, 2024, 6:08 p.m.

Indicators

fb70ff49411ce04951895977acfc06fa468e4aa504676dedeb40ba5cea76f37f

e984d9085ae1b1b0849199d883d05efbccc92242b1546aeca8afd4b1868c54f5

dad53a78662707d182cdb230e999ef6effc0b259def31c196c51cc3e8c42a9b8

7eb2e9e8cd450fc353323fd2e8b84fbbdfe061a8441fd71750250752c577d198

ccb617cc7418a3b22179e00d21db26754666979b4c4f34c7fda8c0082d08cec4

711d3deccc22f5acfd3a41b8c8defb111db0f2b474febdc7f20a468f67db0350

5df4269998ed79fbc997766303759768ce89ff1412550b35ff32e85db3c1f57b

56ac00856b19b41bc388ecf749eb4651369e7ced0529e9bf422284070de457b6

22017c9b022e6f2560fee7d544a83ea9e3d85abee367f2f20b3b0448691fe2d4

Attack Patterns

Tickler

Peach Sandstorm

T1078.004

T1110.003

T1003.003

T1102.003

T1021.002

T1569.002

T1588.002

T1059.003

T1547.001

T1071.001

T1078

Additional Informations

Aerospace

Energy

Defense

Education

Government

Australia

United Arab Emirates

United States of America

Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations

Tags