The Infy malware, a long running threat from Iran

Researchers at Palo Alto Networks have come across a new threat used by alleged Iran-linked Hackers in attacks since 2007.

Security experts at Palo Alto Networks discovered a new malware, named Infy, that has been likely used by hackers from Iran in cyber espionage operations at least since 2007.

The researchers discovered the Infy malware in May, it was used by threat actors in spear phishing attacks. In one case the malicious emails were sent from a compromised Israeli Gmail account to an industrial organization in Israel, a similar message was received in the same period by a US government organization.

“Based on various attributes of these files and the functionality of the malware they install, we have identified and collected over 40 variants of a previously unpublished malware family we call Infy, which has been involved in attacks stretching back to 2007. Attacks using this tool were still active as of April 2016.” states the analysis published by Palo Alto Networks on the Infy malware. based on a string used by the threat actor in filenames and command and control (C&C) folder names and strings.

The name Infy malware is based on a string used by the VXer in filenames and command and control (C&C) folder names and strings.

The Infy malware was first submitted to VirusTotal on August 2007, meanwhile, the C&C domain used by the oldest sample spotted by the experts has been associated with a malicious campaign dated back December 2004.

The malware evolved over the years, the authors improved it by implementing new features such as support for the Microsoft Edge web browser that was introduced in the version 30.

The activity of the threat actor increased after 2011 and according to the experts it is still ongoing.

According to the researchers from Palo Alto Networks, the Infy malware was used in surgical operations, making hard the investigations of the experts that were not able to link the various incidents.

“We believe that we have uncovered a decade-long operation that has successfully stayed under the radar for most of its existence as targeted espionage originating from Iran. It is aimed at governments and businesses of multiple nations as well as its own citizens.” continues Palo Alto Networks.

The experts Researchers identified 12 domains used by the threat actors as C&C servers. Some of the C&C servers were also reported in a detailed analysis published by the Danish Defense Intelligence Service’s Center for Cybersecurity, which had spotted similar attacks against Danish Government targets.

 

The analysis of WHOIS information and IP addresses associated with the C&C domains suggests that the threat actors have Iranian origin.

“The “aminjalali_58 (at) yahoo.com” email address is associated with 6 known C2 domains, dating back to 2010. Unlike the fake WHOIS examples, this example has content more consistent with the email address:”

amin jalali
safehostonline
afriqa street number 68
tehran
Tehran
19699
IR
+98.935354252
aminjalali_58 (at) yahoo.com

“The name “Amin Jalali” is not unique, though it does appear to have Iranian-specific origins.” states Palo Alto Networks.

Security experts believe that Iranian hackers are rapidly improving their cyber capabilities, they observed a significant evolution after the Stuxnet attacks in 2010.

The activity of Iranian hackers is increased in a significant way in the last couple of years, in December 2015 Symantec has uncovered the Cadelle and Chafer groups, two Iran-based hacker teams that were tracking dissidents and activists, in November 2015,

Facebook first discovered spear phishing attacks of Iranian hackers on State Department employees, in December 2014 hackers used a Visual Basic malware to wipe out data of corporate systems at Las Vegas Sands Corp.

Probably the most blatant operation conducted by Iranian hackers is the one that hit computer systems at the oil company Saudi Aramco.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  Iranian hackers,  hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]