Researchers have discovered new activity from a threat actor dubbed Prince of Persia that’s believed to be tied to the Iranian government. The group appeared to have gone dormant in 2022 after multiple security companies documented its operations and crippled its command-and-control infrastructure, but new evidence shows the attackers retooled and continued to target new victims under the radar.
Prince of Persia, also known as Infy based on the name of its original malware, has been operating for almost 20 years. Researchers have noted likely ties to Iran based on the group’s target selection and other factors. Victims were previously identified in 35 countries and included Iranian dissidents and government targets from Europe and elsewhere.
The first company to document the group’s attacks and malware toolkit in detail was Palo Alto Networks back in 2016. That same year the company executed a successful takedown operation that involved sinkholing the group’s command-and control servers. However, the group was back one year later with new malware variants dubbed Foudre and Tonnerre — lighting and thunder in French.
“Despite the appearance of having gone dark in 2022, Prince of Persia threat actors have done quite the opposite,” researchers from security firm SafeBreach said in a new report. “Our ongoing research campaign into this prolific and elusive group has highlighted critical details about their activities, C2 servers, and identified malware variants in the last three years. This threat group is still active, relevant, and dangerous.”
Changes in malware delivery and C2 infrastructure
When the group fell off the radar in 2022, the latest known version of Foudre was v27 and for Tonnerre it was v15. Today, the most recent versions recovered by researchers are Foudre v34 and Tonnerre v17, both of which include significant changes.
Foudre is first-stage malware used for reconnaissance and victim identification. If a target is deemed important enough, the Tonnerre Trojan is deployed for data exfiltration and surveillance.
Foudre used to be distributed through malicious macros embedded in Microsoft Office documents sent as attachments in phishing emails on topics of interest to their targets. The latest version is delivered as an Excel file with an embedded malicious executable that’s not detected by any antivirus engine on VirusTotal.
The embedded executable is a self-extracting archive (SFX) file that contains a malicious DLL and a decoy MP4 video file. Excel files with malicious macros continue to be used and they attempt to execute a file called ccupdate.tmp.
One major difference compared to previous versions is the switch to a new domain generation algorithm (DGA) through which the malware determines on which domain names it will find the command-and-control server. Tonnerre v17 uses the same DGA with a different key prefix, meaning the domains it will generate for C2 will be different.
The SafeBreach researchers managed to identify many C2 servers and to extract data from them. Some servers were used for testing while other had data collected from real victims.
“Most of the victims were located in Iran, but there were some across Europe and countries like Iraq, Turkey, India, and Canada,” the researchers said. “While we have chosen not to publish the data here due to privacy concerns, we are more than willing to share the data with authorized law enforcement agencies.”
Monitoring the group’s campaigns is difficult because the attackers switch C2 servers quite often and they issue commands to delete the malware from the systems of victims that are no longer of interest.
A shift to Telegram
More recently, the researchers identified a new Tonnerre variant that’s advertised as v50, as well as an unknown new Foudre version that goes along with it. These versions use a new C2 server structure and, most importantly, can download a file from the server that enables Telegram communication via its API.
The Telegram feature is enabled only for a select number of victims, but the researchers managed to use the API to query the configured Telegram channel. It had two members, one of which was a channel bot and one user named Ehsan written in Farsi, who could be one of the hackers in charge of controlling the malware and who was last active as of Dec. 13.
“Ehsan is a common Persian name typical for an Iranian,” the researchers said. “This attribution is pretty strong in combination with the IP location of the attacker’s testing machine. We tracked the IP addresses used over several years, all of which indicated Iran as the location. While different IP location databases provided different cities, all of them were in Iran.”
The researchers also uncovered other samples of malware and payloads used in campaigns prior to 2022, including signs of an additional malware family called Rugissement (roar in French), a newer version of MaxPinner, a Telegram-based trojan used by the group in 2021, as well as various trojanized binaries used to distribute the malware.
The report includes details about the new DGA algorithms as well as indicators of compromise and sample hashes in hopes it will help other companies and researchers track the elusive group’s activities going forward.