An Iranian threat actor is targeting Defense Industrial Base (DIB) organizations as part of a campaign. The primary target of the campaign aimed to deliver a backdoor known as “FalseFont”, which has never been seen before. Microsoft, which is monitoring the behavior under the weather-themed moniker Peach Sandstorm, also known as APT33 & Elfin, is the source of information.
The “Microsoft Threat Intelligence” team posted on “X” (formerly Twitter) that “FalseFont is a custom backdoor with a wide range of functionalities. These functionalities allow operators to remotely access an infected system, launch additional files, and send information to its [command-and-control] servers.”
The implant was initially used in early November 2023, according to some records. The IT giant further says that the most recent development shows how the threat actor's tradecraft is still evolving. Moreover, it is consistent with earlier Peach Sandstorm activity as well.
Microsoft connected the group to password spray attempts against thousands of companies worldwide between February and July 2023 in a study released in September 2023. The satellite, defense, and pharmaceutical industries were the main targets of the incursions.
The company stated that facilitating intelligence gathering in support of Iranian state goals is the ultimate objective. It is thought that Peach Sandstorm has been going since at least 2013. The announcement was made by NCD (Isreal National Cyber Directorate), which accused Hezbollah & Iran of unsuccessfully targeting Ziv Hospital through hacking news, titled Agrius & Lebanese Cedar.
NCD also disclosed some details regarding a phishing campaign in which a fake advisory was employed, for a security defect in F5 BIG-IP products, to spread wiper malware on Linux or Windows systems. An authentication bypass vulnerability (CVE-2023-46747, CVCC Score: 9.8) discovered in late October 2023 serves as bait for the attack. As of now, the campaign is unknown.