Iranian Hackers Unveil Game-Changing Windows Backdoor

December 24, 2023
2 mins read

Iranian hacking group Peach Sandstorm has developed a new backdoor called “FalseFont” that enables threat actors to hack Microsoft’s Windows operating system, according to cybersecurity researchers at Microsoft Threat Intelligence team. The backdoor provides remote access, file launching, and data transmission capabilities to its operators. It was detected during operations against its targets in November 2023. Microsoft Defender Antivirus has already detected the “FalseFont” backdoor as MSIL/FalseFont.A!dha. The researchers are actively investigating Peach Sandstorm’s activities and providing mitigations to organizations targeted by the group.

Key Points:

  • Iranian hacking group Peach Sandstorm has developed a new backdoor called “FalseFont” to hack Microsoft’s Windows operating system.
  • The backdoor provides remote access, file launching, and data transmission capabilities.
  • Microsoft Defender Antivirus has detected the “FalseFont” backdoor as MSIL/FalseFont.A!dha.
  • Researchers are actively investigating Peach Sandstorm’s activities and providing mitigations to targeted organizations.

Cybersecurity researchers at Microsoft Threat Intelligence have discovered a new backdoor called “FalseFont” that enables threat actors to hack Microsoft’s Windows operating system. The backdoor was developed by the Iranian hacking group Peach Sandstorm, which targets various sectors globally. The group is linked to APT33 and Elfin Refined Kitten and primarily focuses on sectors such as aviation, construction, defense, education, energy, finance, healthcare, government, satellite, and telecommunications. In 2023, the group showed persistent interest in the satellite, defense, and pharmaceutical sectors.

Peach Sandstorm has a history of using password spray campaigns and exhibits opportunistic behavior. However, its recent activities in 2023 have showcased advanced cloud-based techniques, indicating a shift towards stealthier operations. The FalseFont backdoor was detected in early November 2023 during operations against its targets.

FalseFont provides remote access, file launching, and data transmission capabilities to its operators. It aligns with Microsoft’s year-long observation of Peach Sandstorm, indicating ongoing enhancement of their newly developed custom backdoor. Microsoft Defender Antivirus has already detected the FalseFont backdoor as MSIL/FalseFont.A!dha.

Microsoft Threat Intelligence is actively investigating Peach Sandstorm’s activities and providing mitigations for organizations targeted by the group. They recommend resetting passwords for accounts targeted in password spray attacks and revoking any changes to multifactor authentication settings made by attackers on compromised accounts. They also advise implementing Azure Security Benchmark and general best practices for identity infrastructure security, creating conditional access policies based on defined criteria, and blocking legacy authentication with Microsoft Entra ID using Conditional Access to prevent password spray attacks. Other recommendations include practicing the least privilege and auditing privileged account activity, deploying Microsoft Entra ID Connect Health for AD FS to capture failed attempts and IP addresses in logs, and using Microsoft Entra ID password protection to detect and block weak passwords. It is also suggested to turn on identity protection in Microsoft Entra ID, employ MFA for privileged accounts and risk-based MFA for normal accounts, and consider transitioning to passwordless authentication methods like Azure MFA or Windows Hello for Business. Organizations are also advised to secure RDP or Windows Virtual Desktop endpoints with MFA, treat AD FS servers as Tier 0 assets, and practice credential hygiene, including logon restrictions and controls like Windows Firewall on easily compromised systems. Finally, organizations are encouraged to consider migrating to Microsoft Entra ID authentication to reduce the risk of on-premises compromises.

Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and