Iranian hackers use new software to gather intelligence on important infrastructure

Microsoft has discovered that Iranian hackers have been exploiting a newly created bespoke backdoor in assaults against US and UAE firms.

The group goes by several names, including APT33, Elfin, Holmium, Magnallium, and Refined Kitten, but the tech giant records it under the name Peach Sandstorm. Microsoft claimed to have observed the threat actor focusing on workers at US defense industrial base businesses towards the end of 2023. Microsoft has seen Peach Sandstorm conducting information gathering activities against satellite, communications equipment, government, and oil and gas companies in the United States and the United Arab Emirates (UAE) using a novel piece of malware that it has dubbed Tickler. 

Tickler malware is a multi-stage, proprietary backdoor that allows attackers to download more malware to compromised systems, according to reports. Microsoft discovered that the malicious payloads could gather system data, carry out orders, remove files, and upload or download files to and from a command and control (C&C) server. Peach Sandstorm has persisted in using LinkedIn for social engineering and intelligence gathering, according to the internet giant. 

In addition, the hackers have persisted in carrying out password spray attacks; they have most recently been observed targeting US and Australian government, military, and space agencies. The business also reported that the threat actors used command-and-control through Azure infrastructure hosted in fictitious, attacker-controlled Azure subscriptions.

Microsoft's study was released on the same day that the US government released an advisory about Iranian state-sponsored actors' collaboration with ransomware groups and Google Cloud's Mandiant published a report on an Iranian counterintelligence operation. Reports on Iranian hackers targeting elections have also lately been released by Microsoft, Google, Meta, and the US government.