Tonnerre Malware

Tonnerre Malware is the end-stage payload used in the renewed activities of what is believed to be an Iranian-backed ATP (Advanced Persistent Threat) group known as Infy. Written in Delphi, Tonnerre is designed as a separate payload that expands on the functionality of another Infy malware tool named the Foudre Malware. By separating the desired functionality into two different threats, the hackers might be attempting to reduce their footprint onto the compromised system.

However, the Tonnerre Malware's executable is incredibly large, coming at 56 MB. It tries to disguise itself as legitimate software. Earlier versions pretend to be a program called 'SilverSoft Speed' while later they presented themselves as 'Synaptics.' Similarly to the Foudre Malware, the Tonnerre Malware also is equipped with a routine that authenticates its Command-and-Control (C2, C&C) server. Furthermore, Tonnerre employs a dual C2 communication structure.

First, the threat uses DGA to find its C2 server and then verifies it through an RSA signature. Communication with this server is carried out via HTTP and is used for storing general metadata about the infected victim, collecting files that match predefined extensions, getting updates and obtaining the address of the secondary C2. The additional C2 structure is used for exfiltrating collected data as well as receiving a list of commands that can be executed on the compromised device. The communication with this server is leveraged through FTP.

The Tonnerre Malware contains 5 Delphi forms, each programmed with different functionalities. One is responsible for the installation process of the threat and the establishment of a persistence mechanism through a scheduled task for helper.exe and a registry 'Run' key. The next one is responsible for collecting select data. It captures documents from predefined folders such as Documents, Pictures, Downloads, etc. Additionally, it can harvest data from network shares through WNetOpenEnumW and WNetEnumResourceW functions from mpr.dll.

A separate Delphi form handles the connection with the secondary FTP C2 server. Another one collects files from removable media by tracking WM_DEVICECHANGE messages and enumerating the devices. The last form utilizes the lame command-line tool to record sound.