Researchers at Palo Alto Networks have come across a new malware family that appears to have been used by an Iran-based threat actor in targeted espionage operations since 2007.
The security firm discovered the malware after in May 2015 its systems detected two emails carrying malicious documents sent from a compromised Israeli Gmail account to an industrial organization in Israel. At around the same time, the company also spotted a similar document attached to an email sent to a U.S. government recipient.
An analysis of the files and the malware functionality turned up more than 40 variants of a previously unknown malware family that Palo Alto Networks has dubbed “Infy” based on a string used by the threat actor in filenames and command and control (C&C) folder names and strings.
Based on samples submitted to VirusTotal, the oldest variant found by researchers dates back to August 2007. However, the C&C domain used by the oldest sample has been associated with malicious activity as far back as December 2004.
Experts reported observing increased activity after 2011 and noted that the malware has improved over the years, with developers adding new features such as support for the Microsoft Edge web browser. Attacks involving Infy malware were also spotted in April 2016, which suggests the actor continues to be active.
According to Palo Alto Networks, most of the malware samples from over the last five years were eventually detected by antivirus software, but in a majority of cases with a generic or unrelated signature. Experts attributed the industry’s failure to connect the Infy samples to each other to the fact that the malware has only been used in limited attack campaigns.
The malware, typically disguised as a document or a presentation, is designed to collect information about the infected system, log keystrokes, and steal passwords and other data from browsers. All the information is sent back to a C&C server.
Researchers identified 12 domains used for C&C servers, some of which have also been mentioned in a report describing an attack against the government of Denmark.
WHOIS information and IP addresses associated with the C&C domains suggest that the attackers might be based in Iran, although it’s not uncommon for threat groups to plant false evidence to throw investigators off track.
“We believe that we have uncovered a decade-long operation that has successfully stayed under the radar for most of its existence as targeted espionage originating from Iran. It is aimed at governments and businesses of multiple nations as well as its own citizens,” researchers said in a blog post.
Andre McGregor, director of security at endpoint protection company Tanium, noted in a presentation earlier this year at the RSA Conference that Iran had no cyber capabilitiesuntil 2010, when its nuclear facilities were hit by Stuxnet. However, the expert said the country, whose main enemies are considered Israel, the United States and Saudi Arabia, evolved a great deal over the past years.
The most notable attacks attributed to Iran include the Saudi Aramco incident, the DDoS attacks aimed at U.S. banks, a 2013 attack on a small New York dam, and an operation targeting the Sands Casino in Las Vegas.