An Iranian state-sponsored threat actor group has been using a new malware to attack targets including federal and state government sectors in the US and the United Arab Emirates (UAE).
The group, Peach Sandstorm aka APT33, Elfin, Holmium, Magnallium, and Refined Kitten, was observed by Microsoft between April and July 2024 deploying the custom multi-stage backdoor, dubbed Tickler. This malware allows hackers to download further malware to systems already compromised by Tickler, and is capable of stealing systems information, deleting files, executing commands and uploading or downloading files from or to a command and control server.
Due to the nature and targets of the attacks, everything points to the group working on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC) as a means of gathering intelligence for the regime.
Since the beginning of 2023, Microsoft has observed Peach Sandstorm carrying out password sprays - one weak password is used for many usernames, thus avoiding a lockout that occurs if multiple passwords are used for one username - against thousands of organisations across various sectors, including education, defence, satellite and government. The satellite, defence and higher education sectors, along with individuals within, have also been targeted in the same way via LinkedIn.
The arrival of Tickler is constant with the group's cyber operations evolution and Microsoft is continuously monitoring and analysing developments.
"Microsoft tracks Peach Sandstorm campaigns and directly notifies customers who we observe have been targeted or compromised, providing them with the necessary information to help secure their environment," said the tech giant in a statement.
