A shift to Telegram
Extra just lately, the researchers recognized a brand new Tonnerre variant that’s marketed as v50, in addition to an unknown new Foudre model that goes together with it. These variations use a brand new C2 server construction and, most significantly, can obtain a file from the server that permits Telegram communication through its API.
The Telegram characteristic is enabled just for a choose variety of victims, however the researchers managed to make use of the API to question the configured Telegram channel. It had two members, considered one of which was a channel bot and one consumer named Ehsan written in Farsi, who might be one of many hackers in control of controlling the malware and who was final energetic as of Dec. 13.
“Ehsan is a standard Persian identify typical for an Iranian,” the researchers mentioned. “This attribution is fairly sturdy together with the IP location of the attacker’s testing machine. We tracked the IP addresses used over a number of years, all of which indicated Iran as the situation. Whereas totally different IP location databases offered totally different cities, all of them had been in Iran.”
