Infy is an information-stealing trojan that remained hidden from 2007 until its discovery by Palo Alto Networks (PAN) in May 2015. This trojan targeted users within a very limited scope, which helped it remain undetected for so long. It was discovered when PAN identified two emails containing malicious documents from a compromised Israeli Gmail account sent to an Israeli industrial organization. The emails contain a malicious Microsoft Word or PowerPoint document designed to infect targets with Infy. This attached document includes a Self-Extracting Executable Archive (SFX) masquerading as content intended to persuade the target into launching the embedded executable. The executable then installs a DLL file, writes to the Autorun registry key, and only activates after a system reboot. Once activated, it checks for antivirus software and then establishes a connection with its C2 server. It then collects data on the targeted device - initiating a keylogger, stealing browser passwords and other content - and sends the data back to the attackers via the C2 server. PAN analysis concluded that Iranian actors were using the Infy trojan for espionage purposes, targeting governments and businesses, as well as its own citizens. About a month after publishing their analysis on Infy, PAN managed to take control of the threat actor's C2 server in the summer of 2016.

Subsequently, in February 2017, PAN identified "Foudre," the successor to Infy. It still contains information-stealing capabilities as it logs keystrokes and captures clipboard content. It also identifies and collects various types of system information including processes, antivirus software that is present on the system, cookies, and additional browser data. Foudre determines the domain name of its C2 by using a Domain Generation Algorithm (DGA) and then validates that the C2 is authentic using an RSA signature. This is done to prevent the loss of the C2 server to analysts, law enforcement, and other adversaries. The attack vector for this threat remains the same as that of Infy: a spear-phishing email with a self-executable attachment that installs an executable loader, a DLL file, and a decoy readme file. Iranian users were the primary targets of this campaign, with Americans and Iraqis as the second and third-most targeted users, respectively.

Technical Details

  • Palo Alto Networks provides analysis of Infy, here, and Foudre, here.