April 29, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Snake Keylogger Malware – Active IOCs
August 29, 2024APT Group Gamaredon aka Shuckworm – Active IOCs
August 29, 2024Snake Keylogger Malware – Active IOCs
August 29, 2024APT Group Gamaredon aka Shuckworm – Active IOCs
August 29, 2024
Severity
High
Analysis Summary
The Iran-affiliated cyber-espionage group APT33 (also known as Peach Sandstorm, Holmium, Elfin, Refined Kitten, and Magic Hound) compromised organizations in the government, defense, satellite, oil, and gas sectors in the United States and the United Arab Emirates using a newly developed multi-stage backdoor called Tickler.
Between April and July 2024, the APT group ran a cyber-espionage campaign using Microsoft's Azure cloud for C2 infrastructure. After learning about it, Microsoft quickly interrupted the threat actors' usage of fictitious service subscriptions. The APT kept up its password spray attacks, focusing on the government, defense, and satellite industries to obtain intelligence, and the university sector to acquire infrastructure. The group also used social engineering techniques to launch attacks on defense, satellite, and higher education institutions via LinkedIn.
Microsoft observed new tactics, methods, and procedures (TTPs) during the group's most recent activities. These TTPs involved gaining initial access through social engineering or password spray attacks. APT33 used Azure infrastructure hosted under fictitious, attacker-controlled Azure subscriptions between April and July 2024 to conduct command-and-control operations. The new custom multi-stage backdoor, Tickler, was delivered during this time. Like all of Microsoft's products and services, Azure is constantly monitored by Microsoft to ensure that the terms of service are being followed. Microsoft has stopped the fraudulent Azure infrastructure and accounts linked to this conduct and alerted the impacted organizations.
As recently as July 2024, two instances of the Tickler malware were discovered in compromised environments by the Microsoft Threat Intelligence team. The first sample, which is in a file called Network Security.zip, has the following contents:
- A PDF file called YAHSAT NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20240421.pdf.exe containing tickler malware
- Two harmless PDF files deployed as decoys
The malware is a 64-bit C/C++ executable that loads kernel32.dll at the beginning of the process to carry out its operations. After that, it starts a fake PDF while gathering network data from the host and sending it over an HTTP POST request to the C2 server. The second sample is a refined form of the first malware; it functions as a Trojan dropper and is called sold.dll. To keep the compromised machine persistent, this version downloads extra payloads from the C2 server, such as a batch script and a backdoor.
Microsoft saw APT33 use Outlook email addresses to create Azure tenants and set up Azure for Students subscriptions within these tenants. Additionally, they created more Azure tenants by using hijacked accounts from educational institutions. The tenants served as the malware's C2 servers. Microsoft pointed out that identical tactics have lately been used by other Iranian groups, like Smoke Sandstorm. Via Server Message Block (SMB), the Peach Sandstorm threat actor was seen moving laterally. Following their compromise with a European defense company, they moved laterally across the network via the SMB protocol, taking advantage of its file-sharing features to take over other systems.
Impact
- Cyber Espionage
- Sensitive Data Theft
- Data Exfiltration
Indicators of Compromise
MD5
- ea79d9e044c7daff1de15f95f49a0265
- 8fb5a771ce2d32b394765ee123eaa902
- 8bd712b0a49f4fecd39d30ebd121832c
- 3f29429fce0168748d7cc75e1478aedc
SHA-256
- 7eb2e9e8cd450fc353323fd2e8b84fbbdfe061a8441fd71750250752c577d198
- ccb617cc7418a3b22179e00d21db26754666979b4c4f34c7fda8c0082d08cec4
- fb70ff49411ce04951895977acfc06fa468e4aa504676dedeb40ba5cea76f37f
- 711d3deccc22f5acfd3a41b8c8defb111db0f2b474febdc7f20a468f67db0350
SHA-1
- fb4b1b9244a924015eb82296dbecf5fa2a861ba9
- eac88e085d69c92dad41497583eb82e8c39dd5fe
- 3109f95f07c178fc56d714be8e02b02a2e007f1d
- 5c89f10fbb6ac0ad027f7ac08f71499c8cc264b3
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Passwords – Ensure that general security policies are employed including implementing strong passwords, correct configurations, and proper administration security policies.
- Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
- Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
- Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
