Peach Sandstorm debuts custom Tickler malware for intel gathering missions

August 29, 2024
1 min read

“`html

TLDR:

  • Iranian state-sponsored threat actor Peach Sandstorm deployed new custom Tickler malware in attacks against various sectors in the US and UAE.
  • Peach Sandstorm used password spray attacks and social engineering via LinkedIn to gather intelligence.

Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations

Between April and July 2024, Iranian state-sponsored threat actor Peach Sandstorm deployed a new custom multi-stage backdoor named Tickler in attacks targeting sectors such as satellite, communications equipment, oil and gas, federal, and state government in the US and UAE. The threat actor continued using password spray attacks against the educational sector for procurement purposes while also conducting intelligence gathering and possible social engineering targeting on LinkedIn within the higher education, satellite, and defense sectors.

Peach Sandstorm has evolved its tradecraft over time, utilizing new tactics such as deploying Tickler malware through Azure infrastructure for command-and-control operations. The malware collects network information and allows the threat actor to run various commands on compromised systems. The group also engaged in post-compromise activities like lateral movement through Server Message Block (SMB), installation of remote monitoring tools like AnyDesk, and taking Active Directory snapshots.


“`

Latest from Blog

Top 20 Linux Admin Tools for 2024

TLDR: Top Linux Admin Tools in 2024 Key points: Linux admin tools streamline system configurations, performance monitoring, and security management. Popular Linux admin tools include Webmin, Puppet, Zabbix, Nagios, and Ansible. Summary

Bogus job tempts aerospace, energy workers

TLDR: A North Korean cyberespionage group is posing as job recruiters to target employees in aerospace and energy sectors. Mandiant reports that the group uses fake job descriptions stored in malicious archives