Friend
Professional
- Messages
- 2,669
- Reaction score
- 942
- Points
- 113
Peach Sandstorm attacks oil and gas and satellites with a new backdoor.
Experts from Microsoft have discovered that the Peach Sandstorm group, associated with the Iranian authorities, is using a new backdoor called Tickler in attacks on satellite communications, the oil and gas sector, and government authorities in the United States and the United Arab Emirates.
According to the corporation's report, hackers from Peach Sandstorm have been using this multi-stage malware since April 2024. The program collects various network information from infected machines and sends it to the attackers' C&C servers.
The first Tickler sample was found in a Network Security.zip archive file along with two harmless PDF documents. The attack begins by searching the memory for the address of the kernel32.dll library. Then, after decrypting the strings, the virus downloads it again and runs the legitimate PDF file "YAHSAT NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20240421.pdf" as bait. In doing so, Tickler collects data about the victim's network and sends it to the C&C server via HTTP.
The second Tickler sample has similar functionality to the first. It downloads additional payloads from the C&C server, including legitimate DLLs. It also establishes a permanent connection with the server through a resource created in Azure.
Microsoft experts discovered that Peach Sandstorm uses stolen credentials of users of educational organizations to create their infrastructure in Azure. In this way, hackers gain legitimate access to cloud resources and use them to deploy C&C servers.
In addition to using Tickler, Peach Sandstorm also continues to attack the education, satellite, defense, and government sectors using brute-force attacks. According to analysts, in April-May 2024, the hackers were still using the "go-http-client" user agent, which is typical of their previous campaigns.
Interestingly, other Iranian groups, such as Smoke Sandstorm, have also abused cloud resources in recent months.
The Peach Sandstorm hackers are also known for conducting lateral movement across the network using the SMB protocol after compromising organizations and attempting to install remote access programs such as AnyDesk on the infected systems. In addition, as the researchers note, during one of the intrusions against a satellite operator in the Middle East, Peach Sandstorm used the AD Explorer utility to create an Active Directory snapshot.
To protect your systems from Peach Sandstorm activity, experts recommend regularly changing the passwords of the accounts that have been attacked, revoking session cookies, and conducting additional analysis if the compromised account had system-level privileges.
In addition, you should implement Conditional Access policies in Azure to restrict access to your environment based on the criteria you set, as well as block legacy protocols that don't support multi-factor authentication. To protect endpoints, we recommend that you enable block mode in Microsoft Defender for Endpoint so that the program can block malicious artifacts on its own, even if other antiviruses can't see them.
Detected indicators of compromise, such as malicious files and Azure C&C servers, can help hunt for threats on the corporate network. In addition, Microsoft provides Defender XDR queries to identify related activity. Analytics rules are also available in Microsoft Sentinel to automatically map the IoC from this report to customer data.
Source
Experts from Microsoft have discovered that the Peach Sandstorm group, associated with the Iranian authorities, is using a new backdoor called Tickler in attacks on satellite communications, the oil and gas sector, and government authorities in the United States and the United Arab Emirates.
According to the corporation's report, hackers from Peach Sandstorm have been using this multi-stage malware since April 2024. The program collects various network information from infected machines and sends it to the attackers' C&C servers.
The first Tickler sample was found in a Network Security.zip archive file along with two harmless PDF documents. The attack begins by searching the memory for the address of the kernel32.dll library. Then, after decrypting the strings, the virus downloads it again and runs the legitimate PDF file "YAHSAT NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20240421.pdf" as bait. In doing so, Tickler collects data about the victim's network and sends it to the C&C server via HTTP.
The second Tickler sample has similar functionality to the first. It downloads additional payloads from the C&C server, including legitimate DLLs. It also establishes a permanent connection with the server through a resource created in Azure.
Microsoft experts discovered that Peach Sandstorm uses stolen credentials of users of educational organizations to create their infrastructure in Azure. In this way, hackers gain legitimate access to cloud resources and use them to deploy C&C servers.
In addition to using Tickler, Peach Sandstorm also continues to attack the education, satellite, defense, and government sectors using brute-force attacks. According to analysts, in April-May 2024, the hackers were still using the "go-http-client" user agent, which is typical of their previous campaigns.
Interestingly, other Iranian groups, such as Smoke Sandstorm, have also abused cloud resources in recent months.
The Peach Sandstorm hackers are also known for conducting lateral movement across the network using the SMB protocol after compromising organizations and attempting to install remote access programs such as AnyDesk on the infected systems. In addition, as the researchers note, during one of the intrusions against a satellite operator in the Middle East, Peach Sandstorm used the AD Explorer utility to create an Active Directory snapshot.
To protect your systems from Peach Sandstorm activity, experts recommend regularly changing the passwords of the accounts that have been attacked, revoking session cookies, and conducting additional analysis if the compromised account had system-level privileges.
In addition, you should implement Conditional Access policies in Azure to restrict access to your environment based on the criteria you set, as well as block legacy protocols that don't support multi-factor authentication. To protect endpoints, we recommend that you enable block mode in Microsoft Defender for Endpoint so that the program can block malicious artifacts on its own, even if other antiviruses can't see them.
Detected indicators of compromise, such as malicious files and Azure C&C servers, can help hunt for threats on the corporate network. In addition, Microsoft provides Defender XDR queries to identify related activity. Analytics rules are also available in Microsoft Sentinel to automatically map the IoC from this report to customer data.
Source
