Iranian Infy APT Resurfaces with New Malware Activity After Years of Silence
After nearly five years of silence, an Iranian threat actor known as Infy (aka Prince of Persia) has resurfaced with new malware activity.
The threat group, one of the oldest advanced persistent threat (APT) actors in existence, has been targeting victims across Iran, Iraq, Turkey, India, and Canada, as well as Europe.
According to SafeBreach, the threat actor has been using updated versions of Foudre (version 34) and Tonnerre (versions 12-18, 50) to extract data from high-value machines.
New Malware Variants and Tactics
The latest findings have uncovered a covert campaign that has used a shift from a macro-laced Microsoft Excel file to embedding an executable within such documents to install Foudre.
The threat actor has also been using a domain generation algorithm (DGA) to make its command-and-control (C2) infrastructure more resilient.
Foudre and Tonnerre artifacts are known to validate if the C2 domain is authentic by downloading an RSA signature file, which the malware then decrypts using a public key and compares with a locally-stored validation file.
Telegram Group and C2 Server
The latest version of Tonnerre includes a mechanism to contact a Telegram group (named “سرافراز,” meaning “proudly” in Persian) through the C2 server.
The group has two members: a Telegram bot “@ttestro1bot” that’s likely used to issue commands and collect data, and a user with the handle “@ehsan8999100.”
While the use of the messaging app for C2 is not uncommon, what’s notable is that the information about the Telegram group is stored in a file named “tga.adr” within a directory called “t” in the C2 server.
Older Variants and Tactics
SafeBreach has also discovered older variants used in Foudre campaigns between 2017 and 2020, including a version of Foudre camouflaged as Amaq News Finder to download and execute the malware.
A new version of a trojan called MaxPinner that’s downloaded by Foudre version 24 DLL to spy on Telegram content.
A variation of malware called Deep Freeze, similar to Amaq News Finder, is used to infect victims with Foudre.
An unknown malware called Rugissement.
Conclusion
Despite the appearance of having gone dark in 2022, Prince of Persia threat actors have done quite the opposite, with critical details about their activities, C2 servers, and identified malware variants in the last three years.
The disclosure comes as DomainTools’ continued analysis of Charming Kitten leaks has painted the picture of a hacking group that functions more like a government department, while running “espionage operations with clerical precision.”
The threat actor has also been unmasked as behind the Moses Staff persona.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Source: Link
