Two benign PDF files used as decoys.<\/li>\n<\/ul>\n\n\n\nThe malware is a 64-bit C\/C++ executable starts by locating and loading kernel32.dll<\/strong> to execute its functions. It then launches a decoy PDF while collecting network information from the host, which is sent to the C2 server via an HTTP POST request.<\/p>\n\n\n\n
The second sample is an improved version of the initial malware, its second version named sold.dll<\/strong> acts as a Trojan dropper. This version downloads additional payloads from the C2 server, including a backdoor and a batch script to maintain persistence on the compromised system.<\/p>\n\n\n\n
Microsoft observed APT33 creating Azure tenants using Microsoft Outlook email accounts and setting up Azure for Students subscriptions within these tenants. They also leveraged compromised accounts from educational institutions to create additional Azure tenants. The tenants were used as C2 servers for the malware. Microsoft noted that other Iranian groups, such as Smoke Sandstorm, have employed similar techniques recently.<\/p>\n\n\n\n
The Peach Sandstorm threat actor was observed performing lateral movement via SMB. After compromising a European defense organization, they used the Server Message Block (SMB) protocol to move laterally across the network, exploiting its file-sharing capabilities to gain control over multiple systems.<\/p>\n\n\n\n