{"id":167730,"date":"2024-08-29T05:38:36","date_gmt":"2024-08-29T05:38:36","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=167730"},"modified":"2024-08-29T05:38:38","modified_gmt":"2024-08-29T05:38:38","slug":"apt33-used-new-tickler-malware","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/167730\/apt\/apt33-used-new-tickler-malware.html","title":{"rendered":"Iran-linked group APT33 adds new Tickler malware to its arsenal<\/gwmw>"},"content":{"rendered":"
<\/div>\n

Iran-linked group APT33 used new Tickler malware in attacks against organizations in the government, defense, satellite, oil and gas sectors.<\/h2>\n\n\n\n

Microsoft researchers reported that the Iran-linked cyberespionage group APT33<\/a>  (aka Peach Sandstorm<\/a>, Holmium<\/a>, Elfin<\/a>, Refined Kitten<\/a>, and Magic Hound<\/a>) used new custom multi-stage backdoor called Tickler to compromise organizations in sectors such as government, defense, satellite, oil, and gas in the U.S. and UAE. The APT group conducted a cyber espionage campaign between April and July 2024 and used Microsoft’s Azure infrastructure for C2 infrastructure. Microsoft discovered that the threat actors used fraudulent subscriptions to its services and promptly disrupted them.<\/gwmw><\/p>\n\n\n\n

The group continued to carry out password spray attacks<\/a> targeting the educational sector for infrastructure procurement and focused on the satellite, government, and defense sectors for intelligence gathering. The group also relied on social engineering efforts in attacks against organizations in the higher education, satellite, and defense sectors through LinkedIn.<\/p>\n\n\n\n

“During the group\u2019s latest operations, Microsoft observed new tactics, techniques, and procedures (TTPs) following initial access via password spray attacks or social engineering. Between April and July 2024, Peach Sandstorm deployed a new custom multi-stage backdoor, Tickler, and leveraged Azure infrastructure hosted in fraudulent, attacker-controlled Azure subscriptions for command-and-control (C2).” reads the report<\/a> published by Microsoft. “Microsoft continuously monitors Azure, along with all Microsoft products and services, to ensure compliance with our terms of service. Microsoft has notified affected organizations and disrupted the fraudulent Azure infrastructure and accounts associated with this activity.”<\/em><\/p>\n\n\n\n

\"APT33\"<\/a><\/figure>\n\n\n\n

Microsoft Threat Intelligence team identified two samples of the Tickler malware in compromised environments as recently as July 2024.<\/p>\n\n\n\n

The first sample, contained in a file named Network Security.zip including:<\/p>\n\n\n\n