TLDR:

• Iranian state-sponsored threat actor Peach Sandstorm deployed new custom Tickler malware in attacks against various sectors in the US and UAE.
• Peach Sandstorm used password spray attacks and social engineering via LinkedIn to gather intelligence.

Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations

Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor named Tickler in attacks targeting sectors such as satellite, communications equipment, oil and gas, federal, and state government in the US and UAE. The threat actor continued using password spray attacks against the educational sector for procurement purposes while also conducting intelligence gathering and possible social engineering targeting on LinkedIn within the higher education, satellite, and defense sectors.

Peach Sandstorm has evolved its tradecraft over time, utilizing new tactics such as deploying Tickler malware through Azure infrastructure for command-and-control operations. The malware collects network information and allows the threat actor to run various commands on compromised systems. The group also engaged in post-compromise activities like lateral movement through Server Message Block (SMB), installation of remote monitoring tools like AnyDesk, and taking Active Directory snapshots.