Iran’s Peach Sandstorm Deploy FalseFont Backdoor in Defense Sector

Peach Sandstorm, also recognized as HOLMIUM, has recently focused on global Defense Industrial Base (DIB) targets.

In its latest campaign, Iranian state-backed hackers, Peach Sandstorm, employs FalseFont backdoor for intelligence gathering on behalf of the Iranian government.

Cybersecurity researchers at Microsoft Threat Intelligence Unit have uncovered the latest activities of the Iranian nation-state actor Peach Sandstorm, also known as HOLMIUM. The group has been making efforts to deploy a newly developed backdoor called FalseFont, specifically targeting individuals within the Defense Industrial Base (DIB).

This disclosure follows Microsoft’s earlier findings, outlined in a September 2023 blog post, where Peach Sandstorm was identified as targeting sectors such as satellites and pharmaceuticals on a global scale.

Iran's Peach Sandstorm APT Targeting Defense Sector with FalseFont Backdoor
Identity attack lifecycle of Peach Sandstorm as of September 2023 (Microsoft)

Microsoft’s investigative team believes that Peach Sandstorm is actively pursuing intelligence gathering for the Iranian government, aligning their actions with state interests.

According to Microsoft’s tweets shared today, FalseFont stands out as a custom backdoor equipped with a diverse set of functionalities. These capabilities enable operators to gain remote access to compromised systems, execute additional files, and transmit information to its Command and Control (C2) servers. The first instances of FalseFont in action were detected against targets in early November 2023.

The development and deployment of FalseFont showcase a consistent evolution in Peach Sandstorm’s tactics, a trend observed by Microsoft over the past year. This suggests a continuous effort by Peach Sandstorm to enhance their tradecraft.

It’s worth noting that Microsoft Defender Antivirus already detects FalseFont as Backdoor:MSIL/FalseFont.A!dha. Although Microsoft is monitoring Peach Sandstorm’s activities, unsuspecting users should be on the lookout for phishing and social engineering attacks that may be employed by Peach Sandstorm to spread the FalseFont backdoor.

Here are some key points to follow for protection against phishing and social engineering attacks that may deliver the FalseFont backdoor to your device:

  • Be Skeptical of Emails: Exercise caution when receiving unexpected emails, especially those containing suspicious attachments or links. Verify the sender’s legitimacy before interacting with any content, as FalseFont often infiltrates systems through phishing emails.
  • Update Security Software: Ensure that your antivirus and anti-malware software are up-to-date. Regularly install security patches and updates to safeguard against vulnerabilities that attackers might exploit to deliver the FalseFont backdoor.
  • Verify Email Addresses: Double-check email addresses, particularly in communication related to sensitive information or financial transactions. FalseFont attackers often use deceptive email addresses to mimic legitimate entities.
  • Use Multi-Factor Authentication (MFA): Implement MFA for all relevant accounts to add an extra layer of security. Even if credentials are compromised, MFA can prevent unauthorized access, reducing the risk of FalseFont infiltration.
  • Employee Training: Conduct regular phishing awareness training for employees to recognize and report suspicious emails. Educate them about the tactics used by attackers to deploy FalseFont and emphasize the importance of staying alert.

Guarding Against Social Engineering Attacks Delivering FalseFont:

  • Verify Caller Identity: Be cautious when receiving unexpected calls or messages, especially those requesting sensitive information. Verify the identity of the caller independently before sharing any personal or confidential details.
  • Beware of Urgency: Social engineering attacks often create a sense of urgency or emergency. Be sceptical of requests demanding immediate action, and take time to independently verify the legitimacy of such communications to avoid falling victim to FalseFont.
  • Limit Information Sharing on Social Media: Minimize the amount of personal and professional information shared on social media platforms. Attackers may use publicly available details for targeted social engineering attacks, leading to the deployment of the FalseFont backdoor.
  • Educate on Social Engineering Tactics: Provide training on social engineering tactics and red flags associated with deceptive communication. Awareness about manipulation techniques helps users identify and thwart attempts to deliver FalseFont through social engineering.
  • Regularly Review Privacy Settings: Periodically review and adjust privacy settings on online accounts and social media platforms. Restricting access to personal information reduces the chances of attackers gathering details for crafting convincing social engineering attacks and deploying FalseFont.

  1. Iran’s Scarred Manticore Targets Middle East with LIONTAIL Malware
  2. Some social engineering & Facebook will gift your account to hackers
  3. Iranian Hackers Posed as Israelis in Targeted LinkedIn Phishing Attack
  4. Iranian Stalkerware ‘Spyhide’ Steals Data from 60,000 Android Devices
  5. Iran’s MuddyWater Group Hits Israelis with Fake Memo Spear-Phishing
Related Posts