Foudre Malware

foudre malware

Cyberwarfare is far more prevalent than a regular user thinks. Whatever you hear or see on the news is just a tip of an iceberg, and security researchers have to grapple with multiple threat agents every single day. Foudre Malware is one of such infections that is used in cyberwarfare. A regular user may not know much about such threats because they usually target corporate computers. However, everyone could be targeted by this malicious actor.

Foudre Malware is a malicious program that is thought to be created by Iranian state-backed hackers. The operation behind this malware is called Infy or Prince of Persia. And no, they are not related to the game whatsoever. The operation has been known since 2007, although it constantly reinvents itself and comes back with new versions of malware. Hence, Infy is known as an APT or Advanced Persistent Threat.

Infy mostly focuses on PCs, and the operation employs malware to indulge in cyberespionage. Over the years, the operation has employed various malware components to eavesdrop on their victims. Foudre Malware was first used in 2017. The name for the malware comes from one of its keylogging windows and it means “lightning” in French.

A new version of the Foudre Malware infection was detected in 2020. Like most of the previously used Foudre Malware components, it is programmed in the Delphi programming language. To put it simply, this malware works like a carriage that brings in a second-stage payload into the target system. It is like a nutshell that once cracked releases the real player into the wild. This player is called Tonnerre Malware, and we will discuss this infection in greater detail in our next entry.

So, how do users get infected with Foudre Malware? Usually, the infection reaches its victims through spam or phishing emails. These are mostly targeted phishing emails because they aim at certain victims. The previous versions of Foudre Malware would arrive through outgoing links that supposedly should open a video. However, this new version of Foudre Malware launches when users close the dangerous document, and it triggers a malicious macro to run.

The document in question is often some kind of photo of an Iranian official and their phone number (the phone number is usually fake). There are also instances where documents supposedly sent by various Persian organizations and foundations are used to lure unsuspecting victims. Either way, the victims do not need to click anywhere on the document. Just opening it is enough for Foudre Malware to run automatically when the document is closed. Here is essentially what happens when victims trigger the malware installation:

  • The macro downloads the first-stage payload with Foudre Malware,
  • Foudre Malware connects to its command and control (C2) server and downloads Tonnerre Malware,
  • Tonnerre Malware starts running and receives further commands.

This is where the shell of Foudre Malware falls off and then Tonnerre Malware takes over to carry on its espionage activities. Everything happens behind the victim’s back. What’s more, the newest Foudre Malware version is also better at avoiding detection because it comes with three key differences, compared to the previous versions.

First, it uses the DGA Formula to avoid detection. It is an updated algorithm that generates domains. Another thing that increases the stealth level is the C2 RSA verification where Foudre Malware downloads a digital signature file from its C2 and verifies it. We also mentioned that this threat gets its name from one of its keylogging windows, but the newest version misses this component, too. Security researchers believe that this update allows the infection to avoid signature detection.

All in all, it is possible to avoid Foudre Malware and other related infections if potential victims are vigilant and review their cybersecurity knowledge frequently. On the other hand, these threat actors are stealthy and might run in the background of the compromised system for a long time before anyone takes heed. Hence, regular system scans with licensed security products are vital for early detection and swift malware removal.

By Tova
February 15, 2021
Malware
English
February 15, 2021
Malware

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Malware

Emotet Malware Attacks Governments and Organizations Costing Victims Millions

Emotet is arguably the most problematic and costly malware of the past five years. This malware was first discovered in 2014, and since then, it has been causing trouble almost non-stop. The threat took a sort,... Read more

January 17, 2020
Android Malware, Computer Security

Mobile Malware Spreading Through COVID-19 Test SMS

Cybercriminals are not letting go of the Covid-19 anxiety that is still gripping the world and are doing their best to abuse it. A brand new mobile scam that spreads malware has joined the dozens of Covid-themed... Read more

September 4, 2020
Malware

Cybercriminals Use Coronavirus-Themed Spam to Spread Malware

The Wuhan coronavirus (also known as 2019-nCoV) is still dominating the news, and unfortunately, this is unlikely to change any time soon. The death toll rises at an alarming rate, and people are on the verge of... Read more

February 3, 2020
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.