Conversation
Notices
-
Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Thursday, 29-Aug-2024 00:57:45 JST 翠星石 @screaminggoat Ah yes, yet more to add to the Total Cost of Ownedership of windows. -
Embed this notice
Not Simon 🐐 (screaminggoat@infosec.exchange)'s status on Thursday, 29-Aug-2024 00:57:47 JST Not Simon 🐐 Microsoft: Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
Between April and July 2024, Microsoft observed Iranian state-sponsored threat actor Peach Sandstorm deploying a new custom multi-stage backdoor dubbed "Tickler." Tickler has been used in attacks against targets in the satellite, communications equipment, oil and gas, as well as federal and state government sectors in the United States and the United Arab Emirates. This activity is consistent with the threat actor’s persistent intelligence gathering objectives and represents the latest evolution of their long-standing cyber operations.
Microsoft observed new tactics, techniques, and procedures (TTPs) following initial access via password spray attacks or social engineering (intelligence gathering on LinkedIn). They described the Tickler malware, Azure resources abuse, and post-compromise activity:- Lateral movement via Server Message Block (SMB)
- Downloading and installing a remote monitoring and management (RMM) tool
- Taking an Active Directory (AD) snapshot
IOC and hunting queries provided.
cc: @briankrebs @mttaggart @serghei @campuscodi @AAKL
#iran #peachsandstorm #cyberespionage #threatintel #IOC #tickler #backdoor #malwareanalysis #linkedin
-
Embed this notice