infy foudre

Infy APT Group New Attack

Introduction

CheckPoint disclosed the update of the used by the Infy ​​(Mermaid) Group. Infy ​​is an advanced threat Group attributed to Iran. Its earliest activities date back to 2007 and have been active for more than 13 years. Infy’s main targets are politicians around Iran, including Persian media and the Danish Ministry of Foreign Affairs. There are indications that Infy seems to be inextricably linked with Iranian telecommunications companies.

Tonnerre and are two secret stealing software used by Infy on the Windows platform. The new version of will run a after the victim closes the document, instead of letting the victim click on a link that looks like a video as before. The complete infection chain is as follows:

infy foudre

Tonnerre is used to extend Foudre’s functionality and may ensure that it is deployed only when needed, which may help it evade detection. Like Foudre, it is written in Delphi. Its functions include:
• stealing files from predefined folders and external devices;
• executing C2 commands (recording and shooting images).


In this attack, Infy used Persian -embedded documents that referenced Iranian politicians and Groups. In targeted attacks, CheckPoint only observed dozens of victims. The victims came from multiple countries, such as Iraq (1 victim), Azerbaijan (1 victim), United Kingdom (1 victim), Russia (1 victim), Romania (1 victim), Germany ( 1 victim), Canada (1 victim), Turkey (3 victims), the United States (3 victims), the Netherlands (4 victims) and Sweden (6 victims).

IOCs

172.96.184.191
185.56.137.138
185.28.189.215
185.61.154.26
198.252.108.158
93.115.22.216
185.203.116.111
185.141.61.37
185.206.144.175
54.37.60.199


35b268a6.top
35b268a6.space
1e9f3b65.top
1e9f3b65.space
07840a24.top
07840a24.space
801c16eb.top
801c16eb.space
8bb28844.top
8bb28844.space


593703ec58584fa85a17f819d93dd19e
78b9c9bcb8dc32528cba0657dea6a17d
66e1837b05e84c2387d6c86a9c74aa74
80cb63a447ba3193163a31d6b413895a
e1f1f8049c4fc2978b246365f514d53b
a5bf8fc1f063e3cbb54cc4bc093c3761
0d3874ed7246ae112642f2434dda575a
3a6ef69242448899084f4eb1217b47aa
dc14f029efa635d5922012904e162808
25814ca79dddba0bd05a421c7729d5d5303e5acd
f5080bfb526ccbd6adfc54c7bade5957aeb88333
10f0eed80d1fdcbb3b9c67421d15bfc2bf123e41
72012da9140c8cd1b6790a164092abf283b0671b
6a0842ef2ab50405f20a8957e4f33601d59a073d
8e118f881fe3060b8c1fab86208bb5bb1b8789cc
5523e841baef2623c51716cb4fe779e1f3a9c783
08b653031a867407fdd3124e364023369277222d
6195054456386b8a72ac2d0ad24ab2f6466ed7a4
cba270cbb084929e51bcf68145992ff3dd048887f4b9ed3a54970f1151bb1fdf
00cfef0d163b6cb312c07b4b49bd230121db15433204bc674350a8126665ba0f
fcd23c3e7e4027425786d4dfdf6e56912ad59bc5db935d32bf877b34bb7e4a86
bebfbc715a0236b4fd93347f69c93aae34acbb6f9f9555284edf22378fbeb86a
e6eed21fa1c9dc28b140a4b7633636461eefaeab214647f53d3b666158c28674
fa48da8189b9f4dd8ad011a0bac135ae82f9d493d6a9feeea5ac1abeae8ce202
4ba5192dab8c27db8bba0e5b9d6887ea81299c88536fa590735e55b88aace759
20ffed3d57e4a49d0e20f18283ae7e5e5a7ef3249be3f04b50e78f10ec8b8989
941ca9f74fbc5e73c9c8248548c1f0d1adc646126ee6c45a0ce34fe39a52f030
0b094d25e97cc254a53bec0943d682c1eebbf7437067b14c7b71619110dfaf83