ioc.exchange is one of the many independent Mastodon servers you can use to participate in the fediverse.
INDICATORS OF COMPROMISE (IOC) InfoSec Community within the Fediverse. Newbies, experts, gurus - Everyone is Welcome! Instance is supposed to be fast and secure.

Administered by:

Server stats:

1.3K
active users

Good day everyone!

Microsoft brings us the with a threat group known as . Believed to be operating out of Iran the group deployed a new custom malware, the Tickler backdoor and it sounds like they conduct espionage campaigns.

Looking at the behaviors, we can see a tried and true persistence mechanism (throw your answer in the comments if you spotted it as well, its something I have mentioned too many times to count!) and then another technique used by many adversaries: drop a LEGIT remote monitoring and management (RMM) tool, in this case, AnyDesk. But I am going to leave you guessing where we are going with this one! Enjoy the article and Happy Hunting!

Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations

microsoft.com/en-us/security/b

Cyborg Security Intel 471

Microsoft Security Blog · Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations | Microsoft Security BlogBetween April and July 2024, Microsoft observed Iranian state-sponsored threat actor Peach Sandstorm deploying a new custom multi-stage backdoor, which we named Tickler. Tickler has been used in attacks against targets in the satellite, communications equipment, oil and gas, as well as federal and state government sectors in the United States and the United Arab […]
Just Another Blue Teamer

Thank you all for awaiting patiently for your Threat Hunt Tip of the Day! And here you go!

I am not going to touch on the Windows Registry Run key that was mentioned, I lost track of how many times I shared that hunt package, even though it still proves to be useful, but what I will talk about are RMM tools. This list consists of tools like AnyDesk (seen in the Microsoft article), TeamViewer, AteraAgent, and many more!

How do you approach this? Hopefully you have an inventory and hopefully you have an application allow-list. If you have both of these, its a great start, but if you are like some organizations and living in the wild-west, it might be tougher. I would simply create a list of all the RMMs out there that have been abused by threat actors and search for them in your environment. Compare that to the software inventory if you have it and compare that to the application allow-list (if you have that as well) and then see what your data is telling you. This could be a quick win, especially if you see AnyDesk floating around your environment but no one approved it! Well, what are you waiting for? Go get those items and get hunting! Happy Hunting!

Nice little resource for RMMs from Red Canary!
redcanary.com/threat-detection

Cyborg Security Intel 471

Red CanaryRMM Tools - Red Canary Threat Detection ReportAdversary abuse of RMM tools attracted extra attention in 2023, due in part to at least one prolific adversary.