Following a two-year downtime, an Iran-linked cyberespionage operation has recommenced with new second-stage malware and with an updated variant of the Infy malware, according to joint research conducted by cybersecurity firms SafeBreach and Check Point.
Evidence suggests the operation started as early as 2007 — it was one of the earliest Iranian campaigns discovered — but it was initially detailed in 2016, while the next year it also involved the use of a piece of malware called Foudre, which by 2018 had already been updated eight times.
Following a quiet period, the operation recommenced during the first half of 2020, with new versions of Foudre (versions 20-22) and new lure documents that were designed to execute the malicious code when closed. Once executed, Foudre connects to the command and control (C&C) server and fetches a new piece of malware, called Tonnerre.
The new malware, security researchers say, appears to have been designed to expand the capabilities of Foudre, but released as a separate component, most probably to be deployed only when needed.
Tonnerre, which camouflages itself as legitimate software, can steal files from the infected machines, can execute commands received from the C&C server, record sound, and capture screenshots.
The malware uses a DGA to connect to the C&C, which it then uses to store data about the victim, steal files, download updates, and get an additional C&C. Tonnerre uses both HTTP and FTP to communicate with the C&C server.
While investigating the operation, SafeBreach and Check Point identified two dozen victims, most located in Sweden (6), the Netherlands (4), Turkey (3), and the United States (3). Romania, Russia, India, Iraq, the United Kingdom, Germany, Canada, and Azerbaijan had one victim each, but Iran had none.
“It seems that following a long downtime, the Iranian cyber attackers were able to regroup, fix previous issues and dramatically reinforce their OPSEC activities as well as the technical proficiency and tooling capabilities,” reads a blog post that contains extensive technical details on both Foudre and Tonnerre.
Check Point last week reported that more than 1,200 Iranian citizens had been targeted in extensive cyber-surveillance operations backed by the Iranian government.
Related: Over 1,200 Iranians Targeted in Domestic Surveillance Campaign
Related: Iran-Linked ‘Silent Librarian’ Back at Phishing Universities
Related: U.S. Seizes More Domains Used by Iran for Disinformation
More from Ionut Arghire
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Atlassian Warns of Critical Jira Service Management Vulnerability
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Malicious NPM, PyPI Packages Stealing User Information
Latest News
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- China Says It’s Looking Into Report of Spy Balloon Over US
- GoAnywhere MFT Users Warned of Zero-Day Exploit
