Iranian state-sponsored risk actors, generally tracked as “Prince of Persia,” have resurfaced with a classy cyberespionage marketing campaign concentrating on international crucial infrastructure and personal networks.
Lively because the early 2000s, this group lately deployed up to date malware variants to infiltrate organizational programs and exfiltrate delicate intelligence.
Their newest operations reveal a major evolution in technical proficiency, using novel evasion strategies and decentralized command-and-control (C2) infrastructures to bypass trendy safety defenses.
The attackers primarily provoke infections by malicious Microsoft Excel recordsdata containing embedded executables, marking a tactical shift from their earlier reliance on macro-enabled paperwork.
These recordsdata, usually disguised as benign administrative updates or regional information gadgets, are engineered to evade commonplace antivirus detection engines.
As soon as a sufferer engages with the file, the malware drops a self-extracting archive that silently installs the Foudre backdoor, establishing an preliminary foothold inside the compromised community.
SafeBreach analysts recognized this renewed exercise after a three-year dormant interval, noting the group’s transition to extra resilient operational safety practices.
Their analysis highlighted the group’s use of distinct malware households, Foudre and Tonnerre, which now function superior capabilities for persistence and knowledge theft.
The investigation additionally linked the operation to a selected persona, “Ehsan,” suggesting a centralized and human-operated administration of the marketing campaign’s infrastructure.
Technical Evaluation of An infection and C2 Communication
The technical sophistication of this marketing campaign is most evident within the deployment of Foudre v34 and Tonnerre v50.
Foudre v34 employs a posh multi-stage loading course of the place a loader DLL, recognized as Conf8830.dll, executes a selected exported perform named f8qb1355.
This perform calls a disguised DLL file, d232, which masquerades as an MP4 video file to deceive each customers and automatic safety instruments.
Telegram person profile (Supply – SafeBreach)
Upon profitable execution, the malware establishes persistence and initiates communication with C2 servers utilizing a generated area identify.
The Area Technology Algorithm (DGA) logic is especially distinct, dividing the method into two phases. The primary part calculates a CRC32 checksum based mostly on a date-formatted string, reminiscent of LOS1{}{}{}.format(date.12 months, date.month, weeknumber).
The second part transforms this output into a singular eight-character hostname. Moreover, the Tonnerre v50 variant introduces a singular redirection mechanism involving Telegram.
As an alternative of conventional FTP protocols, the malware communicates with a Telegram bot to obtain instructions.
C2 Servers (Supply – SafeBreach)
The C2 communication depends on particular HTTP GET requests to validate sufferer machines. Foudre v34 sends a singular identifier to the server utilizing the next construction:
This granular management permits the attackers to selectively improve or take away infections, guaranteeing their operations stay undetected whereas sustaining long-term entry to high-value targets.
Observe us on Google Information, LinkedIn, and X to Get Extra On the spot Updates, Set CSN as a Most popular Supply in Google.
