The Iranian government is continuing to actively spy on the mobile phones and PCs of dissidents and other individuals thought to be of interest to the regime, a new Check Point Research investigation of two Iran-based cyber-threat groups has revealed.
One of the groups, called Infy, has been operating since at least 2007 and has been associated with attacks targeting Persian-language media, diplomatic targets, and Iranian dissidents in multiple countries, including the United States, Canada, and Germany.
Infy's modus operandi has been to install surveillance malware on PCs belonging to targeted individuals and collecting a wide range of information from them, including contact information, sensitive data, voice recordings, and image captures. Infy ceased operations briefly between mid-2016 and mid-2017 after researchers from Palo Alto took down the group's command-and-control (C2) infrastructure and, with that, its ability to communicate with the victims.
Infy was spotted again in August 2017, this time distributing new data-stealing malware, dubbed Foudre, via spear-phishing emails containing a malicious, self-executable attachment. Check Point's new research, conducted in collaboration with SafeBreach Labs, shows that Infy updated Foudre again in 2020, so when the malware was installed on a system it connects to a C2 server and downloads a second-stage payload, called Tonnerre.
According to Check Point, the malware's capabilities include stealing files from predefined folders and external devices, executing malicious commands remotely, recording sound, and making screen captures. The threat actors have been using several lures to get targeted individuals to install the malware on their PCs. Examples include a document purporting to be from the go ..
Support the originator by clicking the read the rest link below.
