Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Essential information
- Published
- 30/08/2024 17:46
- Modified
- 30/08/2024 18:08
- Tags
- 2024-08-30 azure abuse backdoor government targets iranian threat actor linkedin intelligence gathering password spray satellite sector tickler tickler malware
- Related entities
- 9 observables, 1 intrusion sets (apt), 11 techniques (mitre), 1 malware, 8 others
Description
Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor called Tickler. The malware targeted organizations in the satellite, communications equipment, oil and gas, and government sectors in the United States and UAE. Peach Sandstorm also conducted password spray attacks against educational institutions and other sectors. The group used LinkedIn profiles for intelligence gathering and social engineering. Tickler malware collects network information and can execute various commands. Peach Sandstorm abused Azure resources for command and control infrastructure. Post-compromise activities included lateral movement via SMB, installing remote monitoring tools, and taking Active Directory snapshots.