A shift to Telegram
Extra just lately, the researchers recognized a brand new Tonnerre variant that’s marketed as v50, in addition to an unknown new Foudre model that goes together with it. These variations use a brand new C2 server construction and, most significantly, can obtain a file from the server that permits Telegram communication by way of its API.
The Telegram characteristic is enabled just for a choose variety of victims, however the researchers managed to make use of the API to question the configured Telegram channel. It had two members, one among which was a channel bot and one person named Ehsan written in Farsi, who could possibly be one of many hackers in control of controlling the malware and who was final energetic as of Dec. 13.
“Ehsan is a standard Persian title typical for an Iranian,” the researchers stated. “This attribution is fairly robust together with the IP location of the attacker’s testing machine. We tracked the IP addresses used over a number of years, all of which indicated Iran as the situation. Whereas totally different IP location databases supplied totally different cities, all of them had been in Iran.”
