Following a two-year downtime, an Iran-linked cyberespionage operation has recommenced with new second-stage malware and with an updated variant of the Infy malware, according to joint research conducted by cybersecurity firms SafeBreach and Check Point.
Evidence suggests the operation started as early as 2007 -- it was one of the earliest Iranian campaigns discovered -- but it was initially detailed in 2016, while the next year it also involved the use of a piece of malware called Foudre, which by 2018 had already been updated eight times.
Following a quiet period, the operation recommenced during the first half of 2020, with new versions of Foudre (versions 20-22) and new lure documents that were designed to execute the malicious code when closed. Once executed, Foudre connects to the command and control (C&C) server and fetches a new piece of malware, called Tonnerre.
The new malware, security researchers say, appears to have been designed to expand the capabilities of Foudre, but released as a separate component, most probably to be deployed only when needed.
Tonnerre, which camouflages itself as legitimate software, can steal files from the infected machines, can execute commands received from the C&C server, record sound, and capture screenshots.
The malware uses a DGA to connect to the C&C, which it then uses to store data about the victim, steal files, download updates, and get an additional C&C. Tonnerre uses both HTTP and FTP to communicate with the C&C server.
While investigating the operation, SafeBreach and Check Point identified two dozen victims, most located in Sweden (6), the Netherlands (4), Turkey (3), and the United States (3). Romania, Russia, India, Iraq, the United Kingdom, Germany, Canada, and Azerbaijan had one ..
Support the originator by clicking the read the rest link below.
