Organizations in the Defense Industrial Base (DIB) sector were targeted by Iranian threat actors as part of a campaign aimed at delivering a never-before-seen backdoor known as the FalseFont backdoor.
The findings come from Microsoft, which is tracking the activity under a weather-themed title Peach color sandstorm (formerly Holmium), also known as APT33, Elfin and Refined Kitten.
“FalseFont is a custom backdoor with a wide range of capabilities that allows operators to remotely access infected systems, launch other files, and send messages to them [command-and-control] Server,” Microsoft Threat Intelligence Team explain on X (formerly Twitter).
From user to administrator: Learn how hackers gain total control
Learn the secret tactics hackers use to become administrators and how to detect and stop it before it’s too late. Register now for our webinar.
Join now
The first recorded use of this implant was in early November 2023.
The tech giant further said that the latest developments are consistent with Peach Sandstorm’s previous activity and indicate that the threat actor’s espionage techniques are constantly evolving.
In a report released in September 2023, Microsoft linked the group to password spraying attacks that targeted thousands of organizations around the world between February and July 2023. These intrusions mainly targeted the satellite, defense and pharmaceutical industries.
The ultimate goal, the company said, is to facilitate intelligence collection in support of Iran’s national interests. The Peach Dust Bowl is believed to have been active since at least 2013.
In an assessment of APT33 released in 2017, Google-owned Mandiant said the adversary “has shown particular interest” in aerospace organizations involved in military and commercial capabilities, as well as organizations with ties to the energy sector. petrochemical production”.
The revelation comes as Israel’s National Cyber Authority (INCD) accused Iran and Hezbollah of an unsuccessful attempt to attack Ziv Hospital through hacker groups called Agrius and Lebanese Cedar.
The agency also revealed details of a phishing campaign that used false suggestions of security flaws in F5 BIG-IP products as bait to deliver wiper malware on Windows and Linux systems.
The bait for this targeted attack was a critical authentication bypass vulnerability (CVE-2023-46747, CVSS score: 9.8), which was exposed in late October 2023. The scale of the event is currently unknown.