Iranian cyberspy phishing rod pulled from the waters and exposed

Infy becomes infamous

9 Reg comments Got Tips?

Security researchers have lifted the lid on a decade long cyber-espionage campaign.

The Infy malware, which originated in Iran, has been used to target businesses and governments across the world since 2007 and remains in use, according to security researchers from Palo Alto's Unit42 research unit.

Over the time, the malware – which has also featured in attacks domestic against Iranian citizens – has been refined and improved.

The hackers behind the malware took great pains not to tip their hand. Infy campaigns were low-volume and tightly focused. Cyberspies relied on social engineering skills to craft plausible but booby-trapped emails rather than taking a scatter-gun, high-volume approach.

Their basic stock-in-trade(craft) is spear-phishing emails carrying a poisoned Word or PowerPoint document. Some campaigns include image or video files as camouflage to disguise their real purpose – dropping a backdoor on targeted Windows machines.

Palo Alto came across the attacks after intercepting malware sent via a genuine and compromised Israeli Gmail account, to an Israeli industrial organisation. A US government recipient was also targeted with a malware-packed Word document at around the same time. Subsequent research revealed the same malware (identical hash, different filename) was previously detected in attacks thrown against Danish government targets.

“Based on various attributes of these files and the functionality of the malware they install, we have identified and collected over 40 variants of a previously unpublished malware family we call Infy, which has been involved in attacks stretching back to 2007,” Palo Alto explains in a blog post that details the command-and-control structure behind the malware, as well as other technical information. ®


Biting the hand that feeds IT © 1998–2020