Telegram for the throne.

Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Research Saturday." I'm Dave Bittner. And this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us. [ Music ]

Tomer Bar: This threat is always very persistent. It's active since 2007 and it's very rare for a threat actor to be reactive for 20 years with almost the same tools and arsenal. So every time when I lose my visibility in to their malicious activity they are replacing and moving between different situ servers, between different malware version. But in general it's very difficult for them to change all of their characteristics and all of their things that they do, and once I have at least one thing which is an anchor I regain visibility in to their malicious activity until the next time.

Dave Bittner: That's Tomer Bar, VP of security research at Safe Breach Labs. The research we're discussing today is titled "Prince of Persia: A Decade of Iranian Nation State APT Campaign Activity Under the Microscope." [ Music ] Well, tell us about this threat group. I mean what are they aiming to do here?

Tomer Bar: Okay. So this is a nation state group, affiliated group, affiliated to Iran. And they are focused on surveillance intelligence gathering from dissidents to the Islamic republic -- the republic Islamic of Iran. People that opposed to Iran and Iran government sees them as opposition or a risk to the regime. They tried their best to get as much data over them. So, for example, if those people like communicate through telegram and telegram traffic is encrypted they have a specific malware that targets telegram traffic and once they infect one of the victims it can be -- one of the victims, then they can get access to the data itself because on the machine, the end point, it's not encrypted.

Dave Bittner: Well, you mentioned that this group goes back decades, and my understanding reading the research is that from time to time they go dormant again for several years at a time.

Tomer Bar: Actually I think that they are like constantly attack people and try to infect victims all the time, but sometimes it's like under the radar of security researchers and the cybersecurity industry. They learn a lot from previous mistakes and take downs that they had, and every time they come back with a new and better arsenal a new and better operations security mechanism. So it's sometimes difficult to track all of their activities. So I think that we see only partial -- partial part of their real activity. So sometimes it seems like they are dormant, but I think that looking back it seems like they are like 24/7 trying to achieve their goals.

Dave Bittner: Oh. Interesting. Well, what sort of challenges do you face when you're trying to discover new activity or infrastructure that's tied to this group?

Tomer Bar: Okay. So, as I said, they are very sophisticated and they learned a lot from previous mistakes. And they improve themselves. So, for example, at the beginning in 2016 when the first discovery of Prince of Persia were [inaudible 00:04:51] they used just three command and control server and the URL, the link to the situ server, was embedded in the malware. So once a security researcher achieved access to this malware and analyzed it through reverse engineering it can see which URLs are belongs to the situ server. And there are some mechanisms to block the traffic or even intercept or take down those situ servers. So once they had a take down like that in 2016 it took them a year and they developed from scratch a new infrastructure that the situ server now is not fixedly embedded in the malware servers. They use a concept called DGA. It stands for domain generation algorithm. So based on time and formula or algorithm they can calculate 100 different domain names for the command and control servers and it changed every week because of this formula. And by that every week they have a different domain name. So it's much more difficult and sometimes even impossible to do a take down like they suffered from in 2016. They also do situ verification. So even if I as a researcher captured their new malware, analyzed it, and understand the algorithm, and I can focus future domain names and I can purchase the domain name because it's public from a hosting company before them and hopefully I will get the -- all the traffic from all the victims' machines that the malware infected, but because of this situ server verification only if I have in my possession the private key that is used to encrypt a file stored in the situ server and the malware downwrite try to decrypt it with embedded publicly, only this succeeded then the malware trust command and control server. If not, it will continue to the next server from the 100 list generated for this week. So even when I try to do that I -- the malware didn't trust me and did not communicate with me. So I didn't get the traffic and I couldn't take down the infrastructure or the campaign. [ Music ]

Dave Bittner: We'll be right back. [ Music ] No. That's interesting. I mean it does point to the sophistication that you mentioned. The report highlights multiple malware families. Can you sort of take us through the roles that these play in the attack chain? How does the malware actually do its business?

Tomer Bar: Of course. So in this report we found out that there are several attack vectors. Some of them rely on phishing email which contains innocent -- look like innocent office file, Windows office file. But once you click on them there is a macro code running and infecting the machine with the first stage malware. So in the malware code there is an attempt to masquerade as a French actor because the name [inaudible 00:09:05], I pronounce it well in French, it means lightening in English. So the lightening hit first. And gather information that can classify if this machine is belongs to the targeted victim that they expected to target and if this computer is interesting because the victim can be interesting from their perspective, but if it doesn't use the machine and doesn't communicate with it or doesn't communicate with others using it or doesn't store sensitive information maybe it's not interesting for them. So the first tool just used like gather information, basic information about if the user is an admin or not admin. What is the operating system? It's also installed a keystrok logger. So every keystroke that entering in this machine the technical we get. And if they decide this is valuable victim a folder will download and execute from the command and control server the second stage which is a full surveillance tool called tonnerre. And tonnerre in English it means thunder. So the thunder comes after the lightning in nature and also in this attack. And this is a full surveillance tool. It includes very sophisticated capabilities like capturing, gathering, or exfiltrating files, exfiltrating screen capture every five minutes. Like they have a model that they can enable that will allow them to capture the microphone. So they can listen to what is speaking in the room next to a laptop, for example. That is infected. And they can also run command in real time for their choice and get the output immediately. So this is just part of the capabilities of tonnerre. And we also found that during the years of between 2017 and 2021 at least there were other attack vectors leading to the chain of folder and tonnerre. They used software that thought it was infected. There is a software called deep freeze. It's a legit software that allows the user to like a virtual machine to restore the machine back to a clean image. So let's say you would like to do something that it will suspect that it's like maybe dangerous. For example, an oppositioner in Iran would like to speak with someone about the situation in Iran. And he is afraid of the regime capturing this communication. So he might use this software in order to hide tracks. So the Iranian threat actor just infected this fake installer of this program and once the victim installed this program besides the program they each also infected itself with the malware. And we also add other variant that will like explain about just one of them. They used in 2017 -- they developed from scratch a program masquerading as a news software, a specific news outlet. Was AMIC news. This outlet was defined by the U.S as in relation to ISIS like at that time. And it was and the Iranians used this news finder software because maybe their victims were interested in ISIS news. And once you use this software you will also infect it with folder and tonnerre. So we believe that this is only part of the attack hurdle that we were able to reveal, but probably there are many others that are unknown right now.

Dave Bittner: Well, the report mentions Persian language elements and some specific user handles seen in the infrastructure. You all are pretty confident in the Iranian attribution. Yes?

Tomer Bar: Yeah. Yeah. We are 100% sure of the attribution not just by the evidence in this research, but also evidence in many research that we already published or published by others. For example, after the take down of 2016 take down of their campaign it was proved that the Iranian government made some modification in the DNS servers in Iran and due to this change they were able to recover access to the victims in Iran itself. We have between 30 to 50% of the victims in Iran itself. So they retained access to these victims and the victims outside of Iran were not affected and they did not achieve access anymore to them. They need to attack them again in order to achieve access. But the only ones who have access to this net -- the DNS servers in Iran are the Iranian government and there are also other artifacts that are very strong that prove that it's an Iranian threat actor.

Dave Bittner: I see. Well, based on the information that you've gathered here what are your recommendations for defenders? How should folks best protect themselves here?

Tomer Bar: Okay. That's a great question. So first of all we published all of the indication of compromise so if it's an enterprise or an organization they can search to see if they were infected or not. Also there are some public sites for the public audience to the individuals that they can if they suspect in a file they can upload it, for example, for a Google site called virustotal.com and see if different antivirus engines if they detect it as Iranian malware or not. But it all starts from awareness. And so if you get a suspicious email it can be -- or fraud, it can be like cyber crime, but it can also be the Iranian government or other threat actors, APTs, especially if you're involved in an activity that the Iranian regime might see as a risk. So don't click on links that are unknown or suspicious. Don't open attachments from unknown sources. Make sure your antivirus is installed and up to date and you're using the latest operating system versions. This should keep you safe. [ Music ]

Dave Bittner: Our thanks to Tomer Bar from Safe Breach Labs for joining us. The research is titled "Prince of Persia: A Decade of Iranian Nation State APT Campaign Activity Under the Microscope." We'll have a link in the show notes. And that's "Research Saturday" brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliott Peltzman and Tre Hester. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]