Article 6QBV3 Iranian Hackers Are Using a New Malware to Compromise Gather Intelligence

Iranian Hackers Are Using a New Malware to Compromise Gather Intelligence

by
Krishi Chowdhary
from Techreport on (#6QBV3)
Tickler-ezgif.com-webp-to-jpg-converter-1200x633.jpg
  • According to the latest reports from Microsoft Threat Intelligence, a state-backed threat group called Peach Sandstorm has developed a new malware.
  • The malware is called Tickler" and is available in two versions. Its primary purpose is to gather intelligence.
  • The group is also leveraging social engineering attacks and password-spraying attacks to target its victims.

Tickler-ezgif.com-webp-to-jpg-converter-300x158.jpg

Iranian threat actors have come up with a new way to gather intelligence on critical infrastructure.

According to Microsoft Threat Intelligence, a state-backed threat group called Peach Sandstorm (Also known as APT33, Holmium, Magnallium, Elfin, and Refined Kitten) is using a custom-built backdoor, mostly targeting satellite and communication equipment.

This backdoor, which Microsoft is calling Tickler", is a special multi-stage malware that is used to compromise a target and then move laterally to collect data using remote monitoring and management (RMM) tools, Server Message Block (SMB) and Active Directory (AD) snapshots.

Also, there are two versions of Tickler, both of which were discovered by Microsoft.

First Version

The first one was found in a file named Network Security.zip' alongside a couple of generic PDF documents that were supposed to act as a decoy.

  • The actual malware file had the same name as the decoy PDFs but what gave it away was that it was an executable file with the suffix .pdf.exe'.
  • And when you launch this file, it starts collecting network information from the host device by decrypting kernell32.dll, and then transferring the data to the C2 infrastructure.
Second Version

The second version of Tickler also works in a similar way. However, it can also download additional malware from the C2 infrastructure and execute it on the host device.

This in turn allows the DLL sideloading to establish a backdoor that the threat actors can use to run a number of unauthorized commands such as deleting files, executing files, or downloading/uploading files from the C2 infrastructure.

Other Attacks

Peach Sandstorm's attack methods aren't just limited to this Tickler malware. Microsoft has noted time and again that it uses LinkedIn for collecting data and launching social engineering attacks.

It is also often seen conducting password-spraying attacks. Its latest password-spraying victim includes educational institutions, defense, space, oil & gas, and government bodies in the USA and Australia.

Note: Password spraying attack refers to the practice of trying to break into multiple accounts using a single password.

Last but not least, the hacker group has also been found using Azure infrastructure hosted on compromised accounts for command and control.

The threat of state-backed Iranian attacks is growing day by day.

  • Google's Mandiant also published a report on an Iranian counterintelligence operation that aimed to find individuals collaborating with Iran's adversaries, particularly Israel.
  • At the same time, the US government has also issued an advisory on how Iranian state-sponsored attackers are collaborating with ransomware groups.
  • Microsoft also revealed that some Iranian groups are stepping up to meddle with the US elections by engaging in significant influence activity.
  • Recently, US authorities also blamed Iranian groups for hacking Donald Trump's presidential campaign and attempting to do the same with Kamala Harris.

The US elections are barely 2 months away now. With external threats increasing, it is imperative for cybersecurity experts to keep a keen eye on the US cyber infrastructure.

The post Iranian Hackers Are Using a New Malware to Compromise Gather Intelligence appeared first on The Tech Report.

External Content
Source RSS or Atom Feed
Feed Location https://techreport.com/feed/
Feed Title Techreport
Feed Link https://techreport.com/
Reply 0 comments