An Iranian malware campaign attacking targets across the world is being hosted out Dutch data centers, it has been reported.
According to a report by Bitdefender in collaboration with Argos, the command and control (C2) infrastructure of two strains of malware linked to Iranian-attributed Advanced Persistent Threat (APT) actors are being hosted within the Netherlands. The server hosting one of the two strains has been found, but the second is still yet to be located.
Thunder & Lightning in the Netherlands
According to BitDefender, the Infy APT – first identified in 2016 – are utilizing a new component named Tonnerre (French for thunder) as well as a new version of previously known Foudre (French for lightning) malware, the C2 servers from which both are controlled are located in the Netherlands, according to the Romanian cybersecurity company. Checkpoint has also released a report on the malware.
“It seems to be an important portal to a very large international espionage operation,” said cyber security expert Rickey Gevers of BitDefender. “We see which people this is aimed at. We see how it is set up and that it has been running for three years. As soon as we intervene, we see that the people behind the buttons immediately wake up and take measures. Within minutes. So we know that this is also a very important operation for them.”
A C2 server for the Foudre spyware was discovered in the Netherlands late last year by BitDefender’s Gevers. The server was being hosted by American hosting company Monstermeg, which provides services out of Evoswitch’s AMS1 Amsterdam data center in Haarlem, and the malware had been present there since April 2020.
Monstermeg owner Kevin Kopp told Argos the company was not aware that this malware was on the server, despite two scanners that should detect this type of malware, but did cooperate in the investigation and gave Argos access to the information on the server and has since stopped working with the tenant previously utilizing that machine.
However, Gevers added that traffic indicates the C2 server for Tonnerre malware is very likely also located in the Netherlands, although the exact location is unclear. This server reportedly belongs to a company registered in Cyprus with a Romanian owner. Tenants pay in bitcoins so that they can remain anonymous.
Foudre is the initial phase of the attack installs a back door. The Tonnerre component contained data exfiltration capabilities which enabled attackers to take screenshots, collect files, and record audio using the system’s microphone before uploading that data to the attacker-controlled C&C.
The malware is thought to be being deployed by the Islamic Revolutionary Guard Corps (IRGC), and has been seen to be targeting members of the Arab Struggle Movement for the Liberation of Ahwaz (ASMLA), a separatist group that has claimed responsibility for several assassinations. Victims of the malware are located in Sweden, US, Netherlands, as well as others across Europe, Iraq, and India.