Security firm suspected of discovering ten-year-old malware family

Spread the love

Palo Alto Networks has announced that it has discovered a new strain of malware believed to have been around for a decade. The malware, dubbed ‘Infy’, likely originates from Iran and is distributed via emails containing a Word or PowerPoint document.

The Word or PowerPoint documents may contain certain media files. If a victim clicks on a movie or link in the file in question, sfx or self extracting executable archives will be run with which the malware is installed. According to Palo Alto Networks, the malware primarily collects environmental data, such as passwords entered via the browser, and uses this data to access secure environments. Palo Alto Networks says more than 40 variants within the malware family have been identified so far.

For example, the malware displays an image in a PowerPoint presentation that resembles a paused video. When the user clicks on it, the embedded sfx file is executed. One of the sfx layers is encrypted with the key ‘1qaz2wsx3edc’. There is also a fake readme file in the package and in some cases there are also other pictures or videos in it.

The executable is a standard exe file and the malicious code is contained in a dll file. After installing the dll, an automatic start script is created, but it will not be active until a restart. After a reboot, the program checks whether a virus scanner is present, after which it connects to a command-and-control or C2 server.

Some of the C2 servers appear to have been operating since early 2010. The data sent to the servers is also encrypted. Using the coding techniques, the researchers were able to determine that some of the Infy samples must be as early as mid-2007. In fact, registration of one of the C2 servers, fastupdate.net, shows that the first activity is already from December 2004.

Meanwhile, the malware has been maintained, including adding support for the Microsoft Edge browser in version 30. Much of the malware samples from the past five years have ended up being picked up by virus programs, but only with a generic signature with no association. observed.

Infy ​​was discovered in May 2015 when Palo Alto Networks saw two emails containing malicious documents coming from an Israeli Gmail account. The documents were sent to an Israeli organization. One email had a ‘thanks.pps’ file, the other ‘request.docx’. It is the estimate of the security company that the malware was targeted at targets such as governments and companies.

You might also like
Exit mobile version