Foudre Malware

Foudre Malware Description

The Foudre Malware is a threatening tool written in Delphi. The Foudre Malware is part of the arsenal of what is believed to be an Iranian-backed APT (Advanced Persistent Threat) actor named Infy. Evidence suggests that this group of hackers has been active since at least 2007. The cybercriminals carried out active operations for years until a takedown attempt by infosec researchers forced them into dormancy.

Now, a new attack campaign attributed to Infy has been uncovered. The operation has been going on for several years and employs new malware tools as well as techniques. It seems that the Infy hackers are trying to keep a low profile with their activities. The targeted group of entities seems consistent with their previous ventures with the notable exclusion of any Iranian victims.

One of the new weapons employed by the hackers is the Foudre Malware. The Foudre Malware acts as a middle-stage payload tasked with the delivery of the final malware threat onto the compromised systems. The Foudre Malware infects its targets by hiding inside documents designed to lure victims into opening them. The threatening documents are usually written in Persian entirely, with two observed samples talking either about the governor of Dorud city in the Lorestan Province, Iran, or pretending to be sent by the ISAAR, the Iranian government-sponsored Foundation of Martyrs and Veterans Affairs. The ISAAR agency provides loans to the country's disabled veterans and their families.

When the victim opens the lure document, it triggers a threatening macro that drops a self-extracting archive to the temp directory of the computer as fwupdate.temp. It should be noted that the macro is executed when the victim closes the document. When Foudre gets deployed, it attempts to establish a connection with its Command-and-Control (C2, C&C) server. Foudre authenticates the C2 server by downloading a signature file. Upon successful verification, the malware checks for any available updates by attempting to download a second signature file. Finally, it proceeds to drop the end-stage payload - a malware threat named the Tonnerre Malware.

During the span of this latest burst of activity from the Infy hackers, infosec researchers have managed to observe multiple different versions of the Foudre Malware being deployed. While for the most part, these versions include minor technical modifications only, such as different Window names, Export function names, and strings, the newer releases do containing some key improvements.

The Foudre Malware has been equipped with an updated domain generation algorithm which could make detection of the threat a bit harder if the security vendors try to catch it by using previously discovered DGA. To better protect themselves from takedown attempts, Infy now includes in its malware tools a C2 RSA verification routine.