Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Old Iranian Spying Operation Resumes After Long Break

Following a two-year downtime, an Iran-linked cyberespionage operation has recommenced with new second-stage malware and with an updated variant of the Infy malware, according to joint research conducted by cybersecurity firms SafeBreach and Check Point.

Following a two-year downtime, an Iran-linked cyberespionage operation has recommenced with new second-stage malware and with an updated variant of the Infy malware, according to joint research conducted by cybersecurity firms SafeBreach and Check Point.

Evidence suggests the operation started as early as 2007 — it was one of the earliest Iranian campaigns discovered — but it was initially detailed in 2016, while the next year it also involved the use of a piece of malware called Foudre, which by 2018 had already been updated eight times.

Following a quiet period, the operation recommenced during the first half of 2020, with new versions of Foudre (versions 20-22) and new lure documents that were designed to execute the malicious code when closed. Once executed, Foudre connects to the command and control (C&C) server and fetches a new piece of malware, called Tonnerre.

The new malware, security researchers say, appears to have been designed to expand the capabilities of Foudre, but released as a separate component, most probably to be deployed only when needed.

Tonnerre, which camouflages itself as legitimate software, can steal files from the infected machines, can execute commands received from the C&C server, record sound, and capture screenshots.

The malware uses a DGA to connect to the C&C, which it then uses to store data about the victim, steal files, download updates, and get an additional C&C. Tonnerre uses both HTTP and FTP to communicate with the C&C server.

While investigating the operation, SafeBreach and Check Point identified two dozen victims, most located in Sweden (6), the Netherlands (4), Turkey (3), and the United States (3). Romania, Russia, India, Iraq, the United Kingdom, Germany, Canada, and Azerbaijan had one victim each, but Iran had none.

“It seems that following a long downtime, the Iranian cyber attackers were able to regroup, fix previous issues and dramatically reinforce their OPSEC activities as well as the technical proficiency and tooling capabilities,” reads a blog post that contains extensive technical details on both Foudre and Tonnerre.

Advertisement. Scroll to continue reading.

Check Point last week reported that more than 1,200 Iranian citizens had been targeted in extensive cyber-surveillance operations backed by the Iranian government.

Related: Over 1,200 Iranians Targeted in Domestic Surveillance Campaign

Related: Iran-Linked ‘Silent Librarian’ Back at Phishing Universities

Related: U.S. Seizes More Domains Used by Iran for Disinformation

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.