Peach Sandstorm [1] [2] [3] [5], also known as APT33 [4] [5], Elfin [1] [3] [4], and Refined Kitten [1] [3] [4], is an Iranian cyber-espionage group that has recently targeted organizations in the Defense Industrial Base (DIB) sector. This group aims to gather intelligence in support of Iranian state interests [1].
Description
Peach Sandstorm has been using a new backdoor malware called FalseFont to gain remote access to compromised systems and execute additional files. They also send information to command-and-control servers [1]. This campaign is part of a larger operation that includes password spray attacks on sectors such as satellite, defense [1] [3] [4] [5], and pharmaceutical [1] [3] [4] [5]. Microsoft Threat Intelligence team discovered the FalseFont backdoor in November 2023 [3], which allows threat actors to hack Microsoft’s Windows operating system [2]. Microsoft has been observing Peach Sandstorm for a year [2], indicating ongoing development of their custom backdoor [2]. The Microsoft Threat Intelligence team is actively investigating Peach Sandstorm’s activities through Microsoft Defender XDR [2].
In addition to Peach Sandstorm, the Israel National Cyber Directorate (INCD) has accused Iran and Hezbollah of attempting to hack Ziv Hospital [1] [3] [4]. The hacking crews involved in this operation are known as Agrius and Lebanese Cedar. The INCD has also disclosed a phishing campaign that exploits a security flaw in F5 BIG-IP products [1]. This campaign delivers wiper malware to Windows and Linux systems [1] [3] [4], using a fake advisory as bait. It takes advantage of an authentication bypass vulnerability (CVE-2023-46747) discovered in late October 2023 [1] [3] [4].
Conclusion
The discovery of the FalseFont backdoor and the ongoing activities of Peach Sandstorm highlight the evolving methods and capabilities of this Iranian threat actor. The size of the phishing campaign is currently unknown [3], but it is important to recognize the impacts and potential risks associated with these cyber-espionage activities. Continued vigilance and proactive measures are necessary to mitigate the threats posed by Peach Sandstorm and other similar threat actors in the future.
References
[1] https://thehackernews.com/2023/12/microsoft-warns-of-new-falsefont.html
[2] https://cybersecuritynews.com/iranian-hackers-developed-a-new-backdoor-to-hack-windows/
[3] https://infosecbulletin.com/new-falsefont-backdoor-target-defense-sector/
[4] https://blog.bughunters.am/en/microsoft-warns-of-new-falsefont-backdoor-targeting-the-defense-sector/
[5] https://healsecurity.com/hackers-target-defense-firms-with-new-falsefont-malware/
