Introducing Infy: A Decade-Long Attack Campaign from Iran

Introducing Infy: A Decade-Long Attack Campaign from Iran

Security researchers have uncovered a major new targeted attack campaign dating back nearly a decade and likely to have originated from Iran.

Palo Alto Networks named this one “Infy” after the string appeared in multiple file names, C2 strings and C2 folder names.

It’s an incredibly focused campaign, limited in scope – which is why it has managed to stay under cover for so long, according to the US security vendor.

The research team first uncovered its existence after intercepting two emails carrying malicious documents – one Word, one PowerPoint – sent from a compromised Israeli Gmail account to an industrial organization in the same country.

Another email containing a Word doc with an identical hash was spotted heading to a US government inbox.

Those spear phishing emails worked by tricking the user into activating the malicious executable by hiding it behind the ‘Run’ button of a PowerPoint show.

Palo Alto explained the following in a blog post:

“The executable installs the DLL, writes to the autorun registry key, and doesn’t activate until a reboot. After reboot, it first checks for antivirus and then connects to the C2. It starts collecting environment data, initiates a keylogger, and steals browser passwords and content such as cookies, before exfiltrating the stolen data to the C2 server.”

A total of 12 first-party C&C servers were discovered, dating as far back as 2010, but the researchers found Infy samples from as early as mid-2007 and claimed that it may have been associated with malicious activity as far back as December 2004.

The black hat(s) behind the campaign put a great deal of effort into specific geo-targeting, with region-specific content, and have worked over the years to continuously improve and update the code, for example supporting Microsoft’s new Edge browser.

Working back from WHOIS records for the first-party domains used in the C&C infrastructure, Palo Alto discovered some common naming patterns hinting at an Iranian individual. Additionally, numerous neighboring IP addresses from known first-party C&Cs appeared to be Iranian, suggesting at least the involvement of a hosting reseller in the country.

“The low-volume of activity, deliberate campaign focus and content tailoring, and nature of targets hints at the goals of this actor,” Palo Alto concluded.

“We believe that we have uncovered a decade-long operation that has successfully stayed under the radar for most of its existence as targeted espionage originating from Iran. It is aimed at governments and businesses of multiple nations as well as its own citizens.”

Source: Information Security Magazine