Pierluigi Paganini August 29, 2024

Iran-linked group APT33 used new Tickler malware in attacks against organizations in the government, defense, satellite, oil and gas sectors.

Microsoft researchers reported that the Iran-linked cyberespionage group APT33  (aka Peach Sandstorm, Holmium, Elfin, Refined Kitten, and Magic Hound) used new custom multi-stage backdoor called Tickler to compromise organizations in sectors such as government, defense, satellite, oil, and gas in the U.S. and UAE. The APT group conducted a cyber espionage campaign between April and July 2024 and used Microsoft’s Azure infrastructure for C2 infrastructure. Microsoft discovered that the threat actors used fraudulent subscriptions to its services and promptly disrupted them.

The group continued to carry out password spray attacks targeting the educational sector for infrastructure procurement and focused on the satellite, government, and defense sectors for intelligence gathering. The group also relied on social engineering efforts in attacks against organizations in the higher education, satellite, and defense sectors through LinkedIn.

“During the group’s latest operations, Microsoft observed new tactics, techniques, and procedures (TTPs) following initial access via password spray attacks or social engineering. Between April and July 2024, Peach Sandstorm deployed a new custom multi-stage backdoor, Tickler, and leveraged Azure infrastructure hosted in fraudulent, attacker-controlled Azure subscriptions for command-and-control (C2).” reads the report published by Microsoft. “Microsoft continuously monitors Azure, along with all Microsoft products and services, to ensure compliance with our terms of service. Microsoft has notified affected organizations and disrupted the fraudulent Azure infrastructure and accounts associated with this activity.”

Microsoft Threat Intelligence team identified two samples of the Tickler malware in compromised environments as recently as July 2024.

The first sample, contained in a file named Network Security.zip including:

• YAHSAT NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20240421.pdf.exe (Tickler malware disguised as a PDF)
• Two benign PDF files used as decoys.

The malware is a 64-bit C/C++ executable starts by locating and loading kernel32.dll to execute its functions. It then launches a decoy PDF while collecting network information from the host, which is sent to the C2 server via an HTTP POST request.

The second sample is an improved version of the initial malware, its second version named sold.dll acts as a Trojan dropper. This version downloads additional payloads from the C2 server, including a backdoor and a batch script to maintain persistence on the compromised system.

Microsoft observed APT33 creating Azure tenants using Microsoft Outlook email accounts and setting up Azure for Students subscriptions within these tenants. They also leveraged compromised accounts from educational institutions to create additional Azure tenants. The tenants were used as C2 servers for the malware. Microsoft noted that other Iranian groups, such as Smoke Sandstorm, have employed similar techniques recently.

The Peach Sandstorm threat actor was observed performing lateral movement via SMB. After compromising a European defense organization, they used the Server Message Block (SMB) protocol to move laterally across the network, exploiting its file-sharing capabilities to gain control over multiple systems.

Microsoft shared Indicators of compromise (IoCs) and mitigations for recent attacks.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, APT33)