The advanced persistent threat actor Infy has been active for over two decades, making it one of the oldest known hacking groups associated with Iran. Despite its long history, the group has managed to remain largely under the radar compared to other prominent state-sponsored entities. Recent analysis shows that the group is currently targeting victims in various regions including India, Canada, Iraq, Turkey, and Europe. This indicates a significant scale of activity that exceeds previous estimates regarding their reach and persistence.
The group primarily utilizes two specific types of malware known as Foudre and Tonnerre. Foudre serves as a downloader and profiler to identify high-value targets, while Tonnerre acts as a second-stage implant designed to extract sensitive data. Recent shifts in their tactics show a move away from macro-enabled files toward embedding executables directly within documents. This evolution demonstrates a concerted effort to bypass modern security defenses and maintain access to compromised systems.
GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025
One of the most distinctive features of this group’s recent activity is the use of a domain generation algorithm to ensure the resilience of their command and control infrastructure. The malware also employs a rigorous validation process using RSA signatures to confirm that it is communicating with an authentic server. By downloading and decrypting these signature files, the malware can verify that a domain is authorized before proceeding with data exfiltration or receiving new commands.
Further investigation into the server infrastructure has revealed the integration of the Telegram messaging app into their operations. The latest versions of the Tonnerre malware are designed to communicate with a specific Telegram group through the command and control server. This group appears to be managed by a bot and a specific user handle, likely for the purpose of issuing commands and collecting data. Access to these instructions is tightly controlled and only triggered for specific victim identifiers.
While the group appeared to go dark for a period around 2022, current research confirms they have been refining their toolset and continuing their operations. This includes the deployment of various malware variants disguised as news applications or specialized spying tools. The continued evolution of Infy highlights the persistence of veteran threat actors who adapt their methods to remain effective in a changing cybersecurity landscape.
Source: Baker University Says 2024 Data Breach Impacts 53,000 People