This time the internal name of the malware chosen by the adversary was Foudre. In 2017, following the lessons learned from the C2 servers' takeover, the adversary changed the malware arsenal to include a DGA which was discovered in August of that year. According to research presented at BlackHat 2016, the Iranian threat group tried to regain control over their lost victims’ endpoints by manipulating the traffic in the central Iranian network company and redirecting the sinkhole of Iranian victims to a new C2 server. In earlier research, Palo Alto Networks revealed that their first campaign started in 2007. The Infy Iranian threat group is probably the most persistent Iranian APT ever discovered. We were able to identify two Iranian victims infected with both Foudre and Tonnerre and a third unknown victim infected with Foudre. The Iranians have recently changed their infection strategy and infected all victims with both Foudre and Tonnerre (except for the victims’ machines that include security controls that pose a threat to Tonnerre such as Kaspersky AntiVirus and deepFreeze). We also discovered Tonnerre version 15 binary, which is the most updated version of Foudre. Through our method, we discovered both Foudre and Tonnerre active C2 servers.
With SafeBreach’s generic method, we were able to predict future C2 domains even before finding the new samples which connect to them.
This relatively new sample has probably only been used since July 7, 2021. Using this method, we discovered “ROV4”- a new DGA prefix being used by a new unknown executable version of Foudre (probably version 25 and above). SafeBreach Labs developed a generic method for breaking Foudre’s domain generation algorithm (DGA).
So, rather than producing a new version of the malware or setting everything up again on a new server, the malware switches to a new domain at regular intervals. This technique is in use because malware that depends on a fixed domain or IP address can be quickly blocked. Foudre and Tonnere use a domain generating algorithm (DGA) for generating domain names on the fly. Tonnerre includes additional spying capabilities such as a reverse shell and voice recording using the microphone on the victim’s machine. If the victim is found to be interesting, a second malware called Tonnerre (thunder in French) is installed.
Infy group starts an attack by infecting a victim with Foudre (lightning in French) which collects data from the victim's machine and exfiltrates it to the C2 server. The Infy Iranian threat group is probably the most persistent and active Iranian APT ever discovered since 2007.
0 kommentar(er)
