Iran-Linked Peach Sandstorm Group Deploys Tickler Malware
Researchers have uncovered a new wave of activity by the Iranian state-sponsored threat actor known as Peach Sandstorm. Between April and July 2024, the group deployed a custom multi-stage backdoor called Tickler in operations targeting the satellite, communications, oil and gas, and government sectors in the United States and United Arab Emirates.
Peach Sandstorm Operations and Iranian Association
Peach Sandstorm, which Microsoft Threat Intelligence has assessed as operating on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC), has a history of using password spray attacks and LinkedIn-based intelligence gathering to target organizations in the higher education, satellite, and defense sectors.
Between April and July 2024, the group deployed the Tickler backdoor, identified in two distinct samples by the researchers and was used to collect network information from compromised hosts and send it to attacker-controlled command-and-control (C2) servers.
Peach Sandstorm has also been observed downloading additional payloads, including legitimate Windows binaries that could be used for DLL sideloading attacks. The researchers observed Peach Sandstorm had created fraudulent Azure subscriptions and resources to host this C2 infrastructure, such as Azure Students accounts.
Tickler Malware Analysis
The two identified samples of the Tickler malware were both 64-bit C/C++ based native PE files. The first sample was contained in an archive file alongside benign PDF documents used as decoys.
Upon execution, the first Tickler variant performs process environment block (PEB) traversal to locate the in-memory address of the kernel32.dll library, which it then uses to collect network information from the host and send it to the C2 server.
The second Tickler sample is a Trojan dropper that downloads additional payloads, including legitimate Windows binaries likely used for DLL sideloading, as well as a batch script that sets up persistence by adding a registry run key.
These backdoor capabilities allow Peach Sandstorm to maintain access to compromised networks and carry out further malicious activities, such as lateral movement, data exfiltration, and deployment of additional tools. The company has taken action to disrupt this activity, including notifying affected organizations and shutting down the malicious Azure resources.
Protecting Against Peach Sandstorm
To help organizations defend against Peach Sandstorm’s evolving tactics, the researchers recommend the following:
- Implement strong access controls, such as multi-factor authentication, to protect cloud and on-premises accounts.
- Monitor for suspicious activity, including password spray attacks and the use of compromised accounts to create cloud resources.
- Educate employees on social engineering threats, particularly those targeting the higher education, satellite, and defense sectors.
- Deploy threat protection solutions to detect and respond to potential Peach Sandstorm intrusions.