Researchers have uncovered a cybercrime operation that spent close to a decade infecting targets with dozens of previously unknown malware variants.
Tomer Bar and Simon Conant of Palo Alto Networks explain in a blog post that they originally came across two emails containing malicious Microsoft Office documents back in May 2015.
Since then, they have collected other emails containing hashes identical to those they identified in the emails they received last spring:
“Based on various attributes of these files and the functionality of the malware they install, we have identified and collected over 40 variants of a previously unpublished malware family we call Infy, which has been involved in attacks stretching back to 2007. Attacks using this tool were still active as of April 2016.”
Each Infy attack usually begins with a spear-phishing campaign containing malicious Word or PowerPoint documents.
In the case of the latter, the document opens in what appears to be a paused movie in “PowerPoint Show” mode. A dialog box then displays and asks the user if they would like to run the content. Clicking “Run” allows a multi-layer Self-Extracting Executable Archive (SFX) embedded in the document to execute.
Infy then loads up a DLL, writes to the autorun registry key, and waits to activate and connect to one of its command and control (C&C) servers after a reboot. At that time, it checks for antivirus before initializing a keylogger, stealing browser data, and sending all information to the C&C.
Following their initial analysis of Infy, Bar and Conant found that certain aspects of Infy, including parts of is C&C infrastructure, a tendency towards specific geographic targeting, and a single key used to encode strings, have been found across additional malware and attack campaigns.
Their findings have led them to believe that this particular malware family has been around for quite some time:
“Based on this specific encoding technique and key, we have identified related Infy samples from as early as mid 2007, although more frequent related activity is observed after 2011. Historic registration of the C2 domain associated with the oldest sample that we found, fastupdate[.]net, suggests that it may have been associated with malicious activity as far back as December 2004.”
Each of the malicious emails were sent from a Gmail account belonging to an Israeli victim. Analysis of C&C domains known to be associated with that email and similar accounts suggests that the malware might be originating from a source in Iran. The duo has reason to believe that Iran is using Infy to conduct a espionage campaign by which it is targeting governments and their citizens around the world.
Currently, the malicious Microsoft Office documents associated with Infy are flagged by 21/55 anti-virus providers on VirusTotal.
With that in mind, users can use the same-old common sense measures to protect themselves against this campaign. Don’t click on suspicious links or email attachments, and maintain an up-to-date anti-virus solution on your computers.