Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Aug. 30, 2024, 6:08 p.m.
Tags
External References
Description
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandstorm also conducted password spray attacks against educational institutions and other sectors. The group used LinkedIn profiles for intelligence gathering and social engineering. Tickler malware collects network information and can execute various commands. Peach Sandstorm abused Azure resources for command and control infrastructure. Post-compromise activities included lateral movement via SMB, installing remote monitoring tools, and taking Active Directory snapshots.
Date
Published: Aug. 30, 2024, 5:46 p.m.
Created: Aug. 30, 2024, 5:46 p.m.
Modified: Aug. 30, 2024, 6:08 p.m.
Indicators
fb70ff49411ce04951895977acfc06fa468e4aa504676dedeb40ba5cea76f37f
e984d9085ae1b1b0849199d883d05efbccc92242b1546aeca8afd4b1868c54f5
dad53a78662707d182cdb230e999ef6effc0b259def31c196c51cc3e8c42a9b8
7eb2e9e8cd450fc353323fd2e8b84fbbdfe061a8441fd71750250752c577d198
ccb617cc7418a3b22179e00d21db26754666979b4c4f34c7fda8c0082d08cec4
711d3deccc22f5acfd3a41b8c8defb111db0f2b474febdc7f20a468f67db0350
5df4269998ed79fbc997766303759768ce89ff1412550b35ff32e85db3c1f57b
56ac00856b19b41bc388ecf749eb4651369e7ced0529e9bf422284070de457b6
22017c9b022e6f2560fee7d544a83ea9e3d85abee367f2f20b3b0448691fe2d4
Attack Patterns
Tickler
Peach Sandstorm
T1078.004
T1110.003
T1003.003
T1102.003
T1021.002
T1569.002
T1588.002
T1059.003
T1547.001
T1071.001
T1078
Additional Informations
Aerospace
Energy
Defense
Education
Government
Australia
United Arab Emirates
United States of America