Threat hunters have identified a resurgence of activity from the Iranian threat actor known as Infy, also referred to as the Prince of Persia. This group, which had remained largely dormant for years, was last seen targeting victims across Sweden, the Netherlands, and Turkey. Recent insights indicate that the scale of their operations is more extensive than previously anticipated.
According to Tomer Bar, vice president of security research at SafeBreach, Infy is one of the oldest advanced persistent threat (APT) groups, with documented activities stretching back to December 2004. The group’s ability to stay under the radar distinguishes it from other Iranian hacking collectives like Charming Kitten, MuddyWater, and OilRig.
Infy’s attacks primarily utilize two types of malware: a downloader and victim profiler named Foudre, which deploys a secondary implant known as Tonnerre to exfiltrate sensitive data. The distribution of Foudre is typically carried out through phishing campaigns.
Recent findings reveal a covert operation targeting various countries, including Iran, Iraq, Turkey, India, Canada, and several European nations, utilizing updated versions of its malware. The attack strategies have evolved, with recent tactics replacing macro-laden Microsoft Excel files with documents that contain embedded executables to initiate Foudre.
Notably, the threat actor employs a domain generation algorithm (DGA) to bolster the resilience of its command-and-control (C2) infrastructure. Furthermore, the malware verifies the authenticity of its C2 domain by retrieving and decrypting a signature file using an embedded public key, ensuring that it only communicates with approved domains.
Additional analysis has uncovered various directories within the C2 server used for validation and communication, highlighting a meticulous organization in how the malware operates. The latest iterations of Tonnerre also incorporate a mechanism to interface with a Telegram group, used for command execution and data collection.
Despite an apparent quiet period in 2022, SafeBreach’s ongoing research indicates that the Prince of Persia remains active, adapting its methods and tools. This resilience is echoed in the recent analysis of Charming Kitten leaks, which suggest that the Iranian hacking entities operate with a level of organizational structure akin to state-sponsored activities.
This resurgence of the Infy group underscores the persistent threat posed by advanced hacking collectives and highlights the evolving nature of cyber threats in the landscape.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.