Just Another Blue TeamerAug 29, 2024

Good day everyone!

Microsoft brings us the #readoftheday with a threat group known as #PeachSandstorm. Believed to be operating out of Iran the group deployed a new custom malware, the Tickler backdoor and it sounds like they conduct espionage campaigns.

Looking at the behaviors, we can see a tried and true persistence mechanism (throw your answer in the comments if you spotted it as well, its something I have mentioned too many times to count!) and then another technique used by many adversaries: drop a LEGIT remote monitoring and management (RMM) tool, in this case, AnyDesk. But I am going to leave you guessing where we are going with this one! Enjoy the article and Happy Hunting!

Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations

https://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/

Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations | Microsoft Security Blog

Between April and July 2024, Microsoft observed Iranian state-sponsored threat actor Peach Sandstorm deploying a new custom multi-stage backdoor, which we named Tickler. Tickler has been used in attacks against targets in the satellite, communications equipment, oil and gas, as well as federal and state government sectors in the United States and the United Arab […]

Microsoft Security Blog
The Threat CodexAug 28, 2024
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
#PeachSandstorm #Tickler
https://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/
Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations | Microsoft Security Blog

Between April and July 2024, Microsoft observed Iranian state-sponsored threat actor Peach Sandstorm deploying a new custom multi-stage backdoor, which we named Tickler. Tickler has been used in attacks against targets in the satellite, communications equipment, oil and gas, as well as federal and state government sectors in the United States and the United Arab […]

Microsoft Security Blog
The Threat CodexAug 12, 2024
Iran steps into US election 2024 with cyber-enabled influence operations
#SefidFlood #MintSandstorm #PeachSandstorm #Storm_2035 #RuzaFlood #Storm_1516 #Storm_1841 #TaiziFlood #CottonSandstorm #LemonSandstorm #Storm_1660
https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/5bc57431-a7a9-49ad-944d-b93b7d35d0fc.pdf
Not SimonMar 21, 2024

Unit 42 provides a technical analysis on Iranian APT Peach Sandstorm’s (aka APT33, Refined Kitten, Holmium, etc.) FalseFont backdoor. FalseFont is a highly targeted backdoor, and so far it has been reported to target job applicants in the aerospace and defense industries. While the GUI is active for user interaction, in the background, the second and main component of the malware is running. As it runs, it is establishing persistence and registering itself to its C2 server. Unit 42 describes the backdoor processes and capabilities. IOC provided. 🔗 https://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/

#PeachSandstorm #APT33 #RefinedKitten #Iran #cyberespionage #FalseFont #backdoor #threatintel #IOC

Curious Serpens’ FalseFont Backdoor: Technical Analysis, Detection and Prevention

Iran-linked APT Curious Serpens is using a new backdoor, FalseFont, to target the aerospace and defense industries through fake job recruitment.

Unit 42
HåkonOct 25, 2023
Learning about Iranian #atp #peachsandstorm using #azure arc as persistence technique, I wanted to see how that works in practice. Made a write-up - turns out this could be semi-stealthy, at least on #linux servers! #dfir https://safecontrols.blog/2023/10/25/azure-arc-as-persistence-technique-stealthier-than-one-would-think-on-linux-servers/
Just Another Blue TeamerSep 15, 2023

Happy Friday everyone, I hope everyone survived this week!

The Microsoft Threat Intel team has been tracking an Iranian #APT known as #PeachSandstorm. They start with a password spray attack and if they are successful they then utilize both publicly available and custom tools. They cover the attacks in much more detail and provide us with some mitigations and detections! Enjoy and Happy Hunting!

Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets
https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #APT33 #Elfin #RefinedKitten

Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets | Microsoft Security Blog

Since February 2023, Microsoft has observed a high volume of password spray attacks attributed to Peach Sandstorm, an Iranian nation-state group. In a small number of cases, Peach Sandstorm successfully authenticated to an account and used a combination of publicly available and custom tools for persistence, lateral movement, and exfiltration.

Microsoft Security Blog