Tickler (Backdoor) – Malware

Overview

Tickler malware, identified by Microsoft Threat Intelligence, represents a new phase in the ongoing cyber operations of the Iranian state-sponsored threat actor Peach Sandstorm. This custom, multi-stage backdoor has been actively deployed between April and July 2024, with the primary objective of gathering intelligence from high-value targets in critical sectors such as satellite communications, defense, oil and gas, as well as government entities in the United States and the United Arab Emirates. Tickler’s introduction marks an evolution in Peach Sandstorm’s tactics, showcasing a blend of sophisticated tradecraft and strategic innovation designed to support long-term intelligence operations.

Tickler malware is designed to provide attackers with deep access to compromised systems, enabling them to gather network information and deploy additional payloads with stealth and persistence. This malware is delivered through seemingly benign documents, including decoy PDFs, which, once executed, unleash a series of complex actions. These actions include encrypting and exfiltrating system data to the attacker’s command-and-control (C2) infrastructure. The malware’s ability to blend with legitimate network processes and its multi-stage infection mechanism make it particularly difficult to detect, enhancing the effectiveness of Peach Sandstorm’s espionage activities.

Targets

Public Administration

Mining, Quarrying, and Oil and Gas Extraction

Information

How they operate

Upon initial infection, Tickler malware typically enters a target system through phishing emails, which contain malicious attachments disguised as benign documents. These attachments are often PDF files that, when opened, trigger a series of malicious actions. The malware payload is hidden within these documents, leveraging embedded scripts or macros to exploit vulnerabilities in the system. Once executed, the malware establishes communication with a command-and-control (C2) server, which is often hosted on compromised cloud services, such as Microsoft Azure. This enables the attackers to control the infected system remotely and issue commands without the need for direct interaction with the compromised machine.

Tickler’s core functionality revolves around persistence, privilege escalation, and data exfiltration. After the initial execution, the malware ensures its continued presence on the system by adding registry keys or creating scheduled tasks. These methods enable Tickler to re-execute upon system reboot, preventing removal and allowing persistent access. Additionally, Tickler employs techniques to escalate its privileges, potentially exploiting vulnerabilities to gain higher levels of access within the network. This ability is critical for the attackers, as it allows them to move laterally across the compromised network and access more sensitive systems.

One of Tickler’s most concerning capabilities is its data exfiltration technique. The malware collects critical information from the compromised system, including network configurations, user credentials, and other sensitive data. It then sends this information back to the C2 server using encrypted HTTP POST requests. This exfiltration process is designed to be stealthy, making it difficult for security tools to detect the outgoing data. By leveraging legitimate communication channels, Tickler can avoid triggering traditional network defense mechanisms, allowing attackers to gather intelligence over extended periods without raising suspicion.

In addition to data exfiltration, Tickler malware can also facilitate further compromise by enabling lateral movement within the target network. By communicating with other systems on the network, it spreads to other devices, often using remote services or file-sharing protocols. This expansion of control is crucial for the attackers, as it allows them to infiltrate additional systems and steal more sensitive data or deploy other malicious tools.

The modular design of Tickler malware contributes to its adaptability and effectiveness. It can deliver additional payloads to the compromised systems, depending on the attacker’s goals. These payloads may include more advanced malware or tools designed to collect specific types of data, further enhance the attackers’ access, or disrupt network operations. This flexibility makes Tickler a versatile tool in the arsenal of cybercriminals and nation-state actors, capable of evolving in response to changing network environments.

MITRE Tactics and Techniques

1. Initial Access (T1071)

Phishing: Tickler malware is often delivered through decoy documents, such as PDFs that appear to be legitimate but contain embedded malicious payloads. These documents may be distributed via email or social engineering, leading to the first stage of compromise.

2. Execution (T1059)

Command and Scripting Interpreter (PowerShell, CMD): The malware executes commands within the system once the malicious payload is triggered. Tickler uses various techniques to run its code, potentially leveraging legitimate system processes to avoid detection.

3. Persistence (T1547)

Registry Run Keys / Startup Folder: Once executed, Tickler malware establishes persistence on the system by adding registry keys or creating scheduled tasks to ensure it re-executes upon reboot, facilitating continuous access for the attackers.

4. Privilege Escalation (T1088)

Exploitation of Vulnerability: While not directly mentioned in the specifics of Tickler, privilege escalation often follows once access is established. Attackers may seek to gain higher levels of access to the compromised system.

5. Credential Access (T1071)

Input Capture: As part of its functionality, Tickler malware collects information from the compromised network and sends it back to the command-and-control (C2) server. This could include user credentials, system details, and network configuration.

6. Command and Control (T1071)

Application Layer Protocol: Tickler uses HTTP POST requests to communicate with its C2 server, exfiltrating network information to orient itself and maintain control over the compromised system.

Cloud Storage and Remote Services: Peach Sandstorm’s use of compromised Azure accounts to host C2 infrastructure is an example of cloud-based command-and-control techniques (T1071).

7. Exfiltration (T1041)

Exfiltration Over Command and Control Channel: Tickler malware sends collected network data back to the attacker’s C2 infrastructure via HTTP POST requests. This exfiltration is key to Peach Sandstorm’s intelligence-gathering objectives.

8. Lateral Movement (T1071)

Remote File Copy and Remote Services: While this isn’t always explicitly mentioned for Tickler, lateral movement is implied as the malware may be used to move laterally across systems, especially if additional payloads are downloaded to extend the reach within a network.

9. Collection (T1074)

System Network Configuration Discovery: The malware collects information about the compromised network, such as system configuration and connected devices, to better inform the attackers about their targets’ infrastructure.

References:

• Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations