Good day everyone!

Microsoft brings us the #readoftheday with a threat group known as #PeachSandstorm. Believed to be operating out of Iran the group deployed a new custom malware, the Tickler backdoor and it sounds like they conduct espionage campaigns.

Looking at the behaviors, we can see a tried and true persistence mechanism (throw your answer in the comments if you spotted it as well, its something I have mentioned too many times to count!) and then another technique used by many adversaries: drop a LEGIT remote monitoring and management (RMM) tool, in this case, AnyDesk. But I am going to leave you guessing where we are going with this one! Enjoy the article and Happy Hunting!

Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations

https://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/

Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

  • Just Another Blue Teamer@ioc.exchangeOP
    link
    fedilink
    arrow-up
    1
    ·
    3 months ago

    Thank you all for awaiting patiently for your Threat Hunt Tip of the Day! And here you go!

    I am not going to touch on the Windows Registry Run key that was mentioned, I lost track of how many times I shared that hunt package, even though it still proves to be useful, but what I will talk about are RMM tools. This list consists of tools like AnyDesk (seen in the Microsoft article), TeamViewer, AteraAgent, and many more!

    How do you approach this? Hopefully you have an inventory and hopefully you have an application allow-list. If you have both of these, its a great start, but if you are like some organizations and living in the wild-west, it might be tougher. I would simply create a list of all the RMMs out there that have been abused by threat actors and search for them in your environment. Compare that to the software inventory if you have it and compare that to the application allow-list (if you have that as well) and then see what your data is telling you. This could be a quick win, especially if you see AnyDesk floating around your environment but no one approved it! Well, what are you waiting for? Go get those items and get hunting! Happy Hunting!

    Nice little resource for RMMs from Red Canary!
    https://redcanary.com/threat-detection-report/trends/rmm-tools/

    Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #gethunting #huntoftheday