Following a two-year downtime, an Iran-linked cyberespionage operation has recommenced with new second-stage malware and with an updated variant of the Infy malware, according to joint research conducted by cybersecurity firms SafeBreach and Check Point.
Evidence suggests the operation started as early as 2007 — it was one of the earliest Iranian campaigns discovered — but it was initially detailed in 2016, while the next year it also involved the use of a piece of malware called Foudre, which by 2018 had already been updated eight times.
Following a quiet period, the operation recommenced during the first half of 2020, with new versions of Foudre (versions 20-22) and new lure documents that were designed to execute the malicious code when closed. Once executed, Foudre connects to the command and control (C&C) server and fetches a new piece of malware, called Tonnerre.
The new malware, security researchers say, appears to have been designed to expand the capabilities of Foudre, but released as a separate component, most probably to be deployed only when needed.
Tonnerre, which camouflages itself as legitimate software, can steal files from the infected machines, can execute commands received from the C&C server, record sound, and capture screenshots.
The malware uses a DGA to connect to the C&C, which it then uses to store data about the victim, steal files, download updates, and get an additional C&C. Tonnerre uses both HTTP and FTP to communicate with the C&C server.
While investigating the operation, SafeBreach and Check Point identified two dozen victims, most located in Sweden (6), the Netherlands (4), Turkey (3), and the United States (3). Romania, Russia, India, Iraq, the United Kingdom, Germany, Canada, and Azerbaijan had one victim each, but Iran had none.
“It seems that following a long downtime, the Iranian cyber attackers were able to regroup, fix previous issues and dramatically reinforce their OPSEC activities as well as the technical proficiency and tooling capabilities,” reads a blog post that contains extensive technical details on both Foudre and Tonnerre.
Check Point last week reported that more than 1,200 Iranian citizens had been targeted in extensive cyber-surveillance operations backed by the Iranian government.