A shift to Telegram: More recently, the researchers identified a new Tonnerre variant that’s advertised as v50, as well as an unknown new Foudre version that goes along with it. These versions use a new C2 server structure and, most importantly, can download a file from the server that enables Telegram communication via its API.The Telegram feature is enabled only for a select number of victims, but the researchers managed to use the API to query the configured Telegram channel. It had two members, one of which was a channel bot and one user named Ehsan written in Farsi, who could be one of the hackers in charge of controlling the malware and who was last active as of Dec. 13.”Ehsan is a common Persian name typical for an Iranian,” the researchers said. “This attribution is pretty strong in combination with the IP location of the attacker’s testing machine. We tracked the IP addresses used over several years, all of which indicated Iran as the location. While different IP location databases provided different cities, all of them were in Iran.”The researchers also uncovered other samples of malware and payloads used in campaigns prior to 2022, including signs of an additional malware family called Rugissement (roar in French), a newer version of MaxPinner, a Telegram-based trojan used by the group in 2021, as well as various trojanized binaries used to distribute the malware.The report includes details about the new DGA algorithms as well as indicators of compromise and sample hashes in hopes it will help other companies and researchers track the elusive group’s activities going forward.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4109985/iranian-apt-prince-of-persia-returns-with-new-malware-and-c2-infrastructure.html
