Defenders should look for a named archive file Network Security.zipincluding the .exe and Tickler malware, and a Trojan dropper named sold.dll.
Here’s another example of Peach Sandstorm tactics described by Microsoft: After hacking a European security organization, the gang moved sideways using the Windows SMB (Server Message Block) protocol. This protocol, used to share files, printers, and other resources on a network, has been abused by many malicious actors. Microsoft provides this advice to network administrators to prevent SMB from being used as an attack tool.
In another attack, against a satellite operator based in the Middle East, Peach Sandstorm compromised a user using a malicious ZIP file delivered via a Microsoft Teams message, followed by crashing Active Directory (AD) Explorer and taking an AD snapshot. An AD snapshot is a read-only, point-in-time copy of the AD database and related files, which can be used for various official control functions. These shortcuts can also be used by threat actors for malicious purposes.
Source link