Unit 42 published a blog at the beginning of May titled “Prince of Persia,” in which we described the discovery of a decade-long campaign using a formerly unknown malware family, Infy, that targeted government and industry interests worldwide.
Subsequent to the publishing of this article, through cooperation with the parties responsible for the C2 domains, Unit 42 researchers successfully gained control of multiple C2 domains. This disabled the attacker’s access to their victims in this campaign, provided further insight into the targets currently victimized in this operation, and enabled the notification of affected parties.
In the week following the publication of the original blog, we observed no unusual changes to the C2 infrastructure. Existing domains did move to new IP addresses, as we had previously seen periodically. Some new install domains were added, adhering to naming conventions of current domains (see appendix for new IOCs).
The attackers developed a new version (31), and we observed this deployed against a single Canadian target.
The file descriptions remained essentially the same (“CLMediaLibrary Dynamic Link Library V3”). Most importantly, there was no change to the encoding key (now using offset 20, and offset 11 for second pass against URL encoding) that we had observed being used for the entire decade-long campaign, and documented in our previous blog. From this we conclude that the attackers were unaware of our initial report.
Through cooperation with the parties responsible for the C2 domains, we took control of all but one of them, transferring the A records to a server we controlled. This prevented the attackers from being able to subsequently make any further changes to the domain configurations, issue commands to victims, or capture any further data for the majority of victims. An analysis of connections after transfer suggests that the attackers may have used a third-party service to try to understand why they had suddenly lost almost all of their traffic. Figure 1 shows that tool, a geographic representation of victim-C2 traffic, with all but one at that time now communicating with our sinkhole server.
Figure 1 Graphical representation of victim traffic to C2
We have since transferred sinkhole control to Shadowserver, whom we thank for subsequent victim notification & remediation (https://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork).
We were able to analyze victim C2 traffic to understand who were victims of the Infy campaign. We identified 456 malware agents installed on 326 victim systems, in 35 countries. Figure 2 shows a geographical breakdown of victim locations. We noted in our original blog the large amount of targeting of Iranian citizens in this campaign, we observed almost one-third of all victims to be Iranian. Also of note was the low overall volume of victims, compared to, for example, crimeware campaigns.
Figure 2 Geographic location of victims. Please note that New Zealand has been omitted from this map only because we observed no victim activity there.
In our original blog, we noted two distinct primary variants of the Infy malware. In addition to the original “Infy” variant, we also see the newer, more sophisticated, interactive, and fuller-featured “Infy M” variant deployed against apparently-higher-value targets. Overall, 93% of all victims were infected with Infy, and 60% with Infy “M” (Figure 3). Combined with the low total number of victims, this suggests a great deal of care given to each individual campaign target. The large number of victims with both variants may relate to their complimentary feature set, or represent an “upgrade” path on victims from the original variant infection, later adding the “M” variant as targets appeared more compelling to the attackers.
Figure 3 Breakdown of Infy vs. Infy “M” infections
For the Infy “M” variant, we note that the majority of targets are using the latest version (7.8), and that none are using the older 6.x versions at all (Figure 4). This suggests that these higher-value targets are paid much more attention, being kept up-to-date with the latest version.
In contrast, for the more basic original Infy variant, we note a full spectrum of versions installed (Figure 5), with many victims on older versions – including the original, decade-old V1 – suggesting much less concern is paid to these individual targets (note that we did observe a small number of the older 6.x versions but these do not announce their version when connecting).
Figure 4 Infy “M” Victim versions
Figure 5 Infy”Original” Victim versions
Shortly after the takedown, as well as a new Infy version (31), we also observed the registration of multiple domains using a previously-seen pattern, against known campaign IP addresses. Almost every domain in the pattern-range box4035[.]net – box4090[.]net (220.127.116.11). These were not observed in any sample C2 lists however. Bestwebstat[.]com was sinkholed by another operator.
Some victims infected with Infy versions 15-24 still used the C2 server us1s2[.]strangled[.]net, which remained in the hands of the attacker. In early June the attackers used this C2 to issue instructions to download new Infy “M” version 8.0 from us1s2[.]strangled[.]net/bdc.tmp. This was the first time we had observed an Infy variant being directly updated to Infy “M”. This used camouflage name “Macromedia v4”, changed from “v3” seen in Infy v31. They also removed the voice recording capability in this version.
uvps1[.]cotbm[.]com was used for data exfiltration, previously at 18.104.22.168, after publishing of our original blog moving to 22.214.171.124. It was also hosting malware updates at /themes/u.php.
They also added a curious C2 entry “hxxp://box” (note: defanged for publishing). It’s unclear how this should function; possibly a compromised victim intranet device, or the attackers have modified the HOSTS file on the victim computer.
After the take-down, the attackers began to add server IP addresses as well as domain names to their malware C2 list. They also slightly modified their ZIP password from “Z8(2000_2001ul” to “Z8(2000_2001uIEr3”. Their new malware version added antivirus checks for Kaspersky Labs, Avast, and Trend Micro. The malware data capture now searches for file extensions:
.doc, .docx, .xls, .xlsx, .xlr, .pps, .ppt, .pptx, .mdb, .accdb, .db, .dbf, .sql, .jpg, .jpeg, .psd, .tif, .mp4, .3gp, .txt, .rtf, .odt, .htm, .html, .pdf, .wps, .contact, .csv, .nbu, .vcf, .pst, .zip, .rar, .7z, .zipx, .pgp, .tc, .vhd, .p12, .crt.pem,.key.pfx, .asc, .cer, .p7b, .sst, .doc, .docx, .xls, .xlsx, .xlr, .pps, .ppt, .pptx.
and folder locations:
:\$recycle.bin, :\documents and settings, :\msocache, :\program files, :\program files (x86), :\programdata, :\recovery, :\system volume information:\users, :\windows, :\boot, :\inetpub, :\i386.
The malware continued to use the identical decryption key seen over the entire history of this campaign.
Mid-June, through cooperation with the parties responsible for the C2 domains and law enforcement, we were able to get the remaining C2 domains null-routed and the directly-IP-addressed server disabled. This is the end of a decade-long campaign, though we naturally expect to see this actor back in some other guise before long.
Thanks to the Malware research team – Yaron Samuel, Artiom Radune, Mashav Sapir, Netanel Rimer – for assistance in the takedown.
Appendix 1 – Exfiltration Algorithm
The malware uses a different algorithm than that used for encrypting the malware strings to encrypt the exfiltration data, including:
- Keylogger data + language.
- Malware logs – installation time, DLL path and name, log path, number of downloads, number of successful/failed connections.
- Information about the victim computer: Time zone, list of drives and types, running processes, disk info.
First the malware adds 1 to all bytes, then an encryption key is initialized based on the victim computer name (the offset in the key is calculated by sum of the computer name letters %key length). Then the key is used to encrypt the data (see decrypt function). The encrypted data is then base64 encoded.
Exfiltration data decryption python code:
FIRST_PHASE = “OQTJEqtsK0AUB9YXMwr8idozF7VWRPpnhNCHI6Dlkaubyxf5423jvcZ1LSGmge”
SECOND_PHASE = “PqOwI1eUrYtT2yR3p4E5o6WiQu7ASlDkFj8GhHaJ9sKdLfMgNzBx0ZcXvCmVnb”
str_output = “”
for letter in str_input:
str_output += chr(ord(letter)–1)
print “sub_1_for_hex func problem”
sum = 0
for letter in comp_name:
comp_name_sum = sum_comp_name(comp)
carry = divmod(comp_name_sum, 62)
index = carry –1
end_key = FIRST_PHASE[:index]
key = FIRST_PHASE[index:]
key = key + end_key
key = key + key
input = “”
for num_str in num_list:
input += num_str.decode(‘hex’)
input += ‘)’
result = “”
for i, c in enumerate(input):
i = i % 62 +1
index = FULL_KEY.index(c)–1
result += c
translated = SECOND_PHASE[(index – i +offset) % len(SECOND_PHASE)]
result += translated
found_infy_str = “show=\”———- Administration Reporting Service “
found_infy_index = line.find(found_infy_str)
if not found_infy_index==–1:
comp = r“\xd\xa—–“
comp_index = line.find(comp)
comp_name = line[comp_index+len(comp):]
comp_name = comp_name[:comp_name.find(“—–“)]
print “(((=)))” + comp_name
header = r“\xd\xa_____”
start_index = line.find(header)+len(header)
line = line[start_index:]
endindex = line.index(“_____\” value=”)
line = line[:endindex]
file1 = open(filename + “\\” + comp_name + “.txt”,‘ab’)
FULL_KEY = init_key(comp_name)
enc_final = “”
for letter in enc:
enc_final += “0” + hex(ord(letter))[2:]
enc_final += hex(ord(letter))[2:]
print “not good hex length”
enc = enc_final.upper()
enc = enc.replace(“2E”,“21”)
enc = enc.replace(“C5DC5A”,“”)
enc = enc.replace(“D03D00”,“”)
enc = enc.replace(“0B0E”,“2121”)
enc = enc.replace(“01”,“21”)
enc_len = len(enc)
enc_rev = “”
num_list = 
for i in range(0,enc_len/2):
enc_rev = enc[–2:]
if not enc_rev==“0B” and not enc_rev==“0E” and not enc_rev==“00” and not enc_rev==“D0”:
#the first part is always ok
dec_str = decrypt(num_list,0)
final = sub_1_for_hex(dec_str)
index = final.find(“OK: Sent”)
print comp_name + ” – did not found OK: Sent !!!!\n\n\n\n”
decrypt_data = comp_name + ” ++==++ “ + str(i) + “: “ + final + “\n”
final_start = final[0:500]
if final_start in UNIQUE_DATA:
print comp_name + ” already have this data”
index = final.find(“Installed Date:”)
for i in range(1,61):
dec_str = decrypt3(num_list,i)
final = sub_1_for_hex(dec_str)
##print all 62 options
index2 = final.find(“PROGRAM START:”)
index3 = final.find(“Installed Date:”)
if not index2 ==–1 or not index3 ==–1:
decrypt_data += str(i) + “: “ + final + “\n”
for root,dir,files in os.walk(PDML_PATH):
for file in files:
filename = root+ “\\” + file
for line in fileinput.input([filename]):
line = line.strip()
if not is_found:
line = line[found_infy_index:]
#get computer name (for use in init_key() later)
comp_name = extract_comp_name(line)
#get the infy encrypted data
line = extract_enc_data(line)
#base64 decode enc_data
dec_line = line.decode(‘base64’)
#append enc_data to file
Appendix 2 –IoCs
Infy version 31: f07e85143e057ee565c25db2a9f36491102d4e526ffb02c83e580712ec00eb27
Infy “M” version 8.0: 583349B7A2385A1E8DE682A43351798CA113CBBB80686193ECF9A61E6942786A
[Palo Alto Networks Research Center]