The presumed Iranian information stealer, dubbed Foudre, incorporates new anti-takeover techniques in an attempt to avoid having its Command and Control (C2) infrastructure domains being sinkholed - as they were in 2016 by Unit 42, the threat intelligence research arm of Palo Alto Networks.
In a blogpost Unit 42 notes the ‘new' malware campaign targets many Iranian-domestic victims, as did the Infy malware campaigns, of which this appears an evolution. Like the earlier campaign there are also many efforts against the United States and Iraq, while there are few financial targets. The conclusion is that it is state-sponsored activity by Iran.
The researchers also show how the attackers have discovered that use of digital signing is an effective C2 defense mechanism. They conclude that without access to the private keys, it's not possible for the defender to impersonate a C2 even if a DGA domain is registered by a researcher. But they do suggest that it's possible that the private keys are held locally on the C2 server, but without access to the C2 Unit 42 was unable to confirm this particular potential vulnerability in their infrastructure.
The original research into the Infy malware campaign was published in May 2016, with the Prince of Persia blog suggesting that it had been around for a decade. Then at last year's Blackhat US, Claudio Guarnieri and Collin Anderson presented evidence that a subset of the C2 domains redirecting to Unit 42's sinkhole were blocked by DNS tampering and HTTP filtering by the Telecommunication Company of Iran (AS12880), preventing Iranian-domestic access to the sinkhole.
The report cites a Guarnieri & Anderson note that, “The filtering policy indicates that Iranian authorities had specifically intervened to block access to the command and control domains of a state aligned intrusion campaign at a country level”.
Looking at the new Foudre version of the malware the researchers not that it uses a window name “Foudre” for keylogging recording.
The researchers note that most of the code remains the original Delphi programming, with an additional crypto-library, and a new de-obfuscation algorithm.
They explain how Foudre “includes a keylogger which captures clipboard contents on a ten-second cycle. It collates system information including process list, installed antivirus, cookies, and other browser data.
“The malware checks for internet connectivity simply by looking for an “HTTP 200” response to a connection to google.com. It includes the ability to check for and download any updates to itself.,,,(It) determines the C2 domain name using a Domain Generation Algorithm (DGA). It then validates that the C2 domain is authentic. The C2 returns a signature file, which the malware decrypts and compares it with a locally-stored validation file.”
Once the validity of the C2 is confirmed, stolen data is exfiltrated with a simple HTTP POST.
Initial infection is via a spear-phishing email with a self-executable attachment that installs an executable loader, a malware DLL, and a decoy readme file.
Foudre also checks if the computer is already infected. It contains German text (in this case referring to a right wing extremist group) and Unit 42 says it saw similar embedded-text snippets in Infy samples, in German, Dutch, and English, but they say that the embedded text's function is unclear.
Learning from Unit 42's takedown of the actor's previous C2 infrastructure, this version implements two new C2 mechanisms in an attempt to avoid C2 takeover.
It now uses DGA for C2 domains. It has also implemented an RSA signature verifying algorithm to check the veracity of a C2 domain.
Previous and current C2 domains point at the same C2 server on 198.252.108[.]158, located in Canada, using DNS servers ns1.2daa46f1[.]space and ns2.2daa46f1[.]space.
The DNS RNAME is henry55.iname[.]com, though Unit 42 was not able to find any other reference to this email address outside of the context of this campaign.
Foudre uses the lockbox3 Delphi library to verify the C2:
After the domain is verified, it checks if a new trojan update version is needed
A first request downloads any new trojan version to %temp%\gtsdch32.tmp. The second request downloads a second signature file to %temp%\gtsdci32.tmp.
The malware then performs a second RSA signature verification using the public key. If the verification is successful, the new trojan version (gtsdch32.tmp) is executed .
The malware then encrypts the keylogger data and system information, and sends to the C2 .
Unit 42 managed to forecast one of the DGA domain names and registered it before the adversary was able to do so.
The victims attempted to connect to a C2 on that domain, but without the RSA private key Unit 42 could not verify its domain to them. However, it was able to map the victim locations using GeoIP
One of the Iraqi victims uses an IP in the same class C network as one of an observed Infy victims, suggesting that the adversary is targeting the same specific organisation, or even computer.
Although without the RSA private key, Unit 42 was unable to establish communications with any victims, it discovered that by sending an invalid signature file to the victim, owing to a lack of input validation of the signature file content/size, it could crash the rundll32 process running the Foudre malicious DLL, disabling the infection until the victim reboots.