In February 2017, Palo Alto Networks noted a new take on the “Infy” malware. Redubbing it as “Foudre” (“lightning,” in French) based on the handle of a window used by the keylogger.
Let's back up a little.
Palo Alto Netoworks sinkholed Infy in 2016, but the attackers learned their lesson and Infy received upgrades. This new version maintains most of Infy's Delphi base. However, it added a few new features in the form of a new keylogger, where Foudre gets its name, a new crypto suite, and new de-obfuscation tools. It also is being redirected from Infy's sinkhole by the Telecommunication Company of Iran (AS12880). AS12880 first started redirecting traffic aimed at Infy's sinkhole and then added in HTTP filtering for their clients in Iran. This means, Infy stayed alive in Iran, and Foudre is right there with it.
Foudre spreads through spear phishing attacks. As with Infy, emails targeting select individuals go out as part of the campaign. These emails contain an attachment that executes when clicked. Once running, the dropper downloads a loader, malware DLL, and decoy readme file.
When first run, the loader creates an installation folder and copies itself as config.exe to that folder. The DLL determines where the folder is, but seems to be some variant on %all users%\app data\SnailDriver V<version number>. After creating the folder, the DLL is also copied to the folder and renamed to something random. The loader then adds itself to the registry to autostart on boot, and after reboot the rundll32.exe loads the DLL file, and only if the lp.ini file contains a numeric value.
It's also notable that Foudre checks for itself in memory to avoid reinfecting an already infected system. By scanning for foudre<trojan version number> and verifying that the window class is TNRRDPKE it can establish if there's been an infection.
After infection Foudre tries to steal data like Infy did. After infection Foudre checks for Internet access by trying to talk to Google. If it receives an HTTP 200 response ("success") it will attempt to upgrade itself. Regardless of whether the upgrade is successful, the malware installs its keylogger to the system and starts copying the clipboard every ten seconds. In addition, it grabs system info antivirus, browser data, and running processes. Once it gathers the data it determines the current C2 domain using a DGA.
After contacting the C2, it determines authenticity by downloading an encrypted signature file. If the cleartext of the file matches a reference file the malware carries with it, then user data sent to the server via HTTP POST requests.
Primary targets for the campaign are in Iran, as noted with the redirects, and HTTP filtering. Additional targets have included the United States and Iraq. The targets have not been financial groups, and the filtering by Iranian authorities against the C2 system suggests that this could be targeted at state officials.
To enable ThreatSTOP’s protection against Foudre data in your firewall turn on the Foudre DGA domains - Domains expert target in the ThreatSTOP portal. You Are already protected from Foudre if you have the following target enabled in your policy - Botnet DGAs Tier 1 – Domains (either standard or expert)
If you don’t have a ThreatSTOP account,