A

You're listening to the Cyberwire Network, powered by N2K. When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com. Hello everyone and welcome to the Cyberwires Research Saturday. I'm DAV and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.

B

This threat at all is very persistent. It's active since 2007 and it's very rare for a threat actor to be fully active for 20 years with almost the same tools and arsenal. So every time when I lose my visibility into their malicious activity, they are replacing and Moving between different C2 servers, between different malware version. But in general it's very difficult for them to change all of their characteristics and all of their things that they do. And once I have at least one thing which is an anchor, I regain visibility into their military activity. Until the next time.

A

That's Tomer Barr, VP of Security Research at Safe Breach Labs. The research we're discussing today is titled Prince of Persia A Decade of Iranian Nation State APT Campaign Activity under the microscop. Well, tell us about this threat group. I mean what are they aiming to do here?

B

Okay, so this is a nation state group, affiliated group affiliated to Iran and they are focused on on surveillance intelligence gathering from dissidents to the Islamic Republic, the Republic Islamic of Iran, people that opposed to Iran and Iran government sees them as opposition or a risk to the, to the regime. They tried their best to get as much data over them. So for example, if, if those people like communicate through telegram and telegram traffic is encrypted, they have a specific malware that targets telegram traffic and once they infect one of the victims, it can be one of the victims, then they can get access to the data itself because on the machine the endpoint it's not encrypted.

A

Well, you mentioned that this group goes back decades and my understanding reading the research is that from time to time they go dormant for several years at a time.

B

Actually I think that they are like they attack people and try to infect Victims all the time. But sometimes it's like under the radar of security researchers and this cybersecurity industry. They learn a lot from previous mistakes and takedowns that they had. And every time they came back with a new and better arsenal and new and better operations, security mechanism. So it's, it's sometimes difficult to track all of their activities. So I think that we see only partial, partial part of their real activity. So sometimes it seems like they are dormant, but I think that looking back, it seems like they are like 24, 7 trying to achieve their goals.

A

Oh, interesting. Well, what sort of challenges do you face when you're trying to discover new activity or infrastructure that's tied to this group?

B

Okay, so as I said, they are very sophisticated and they learned a lot from previous mistakes and they improve themselves. So for example, at the beginning on 2016, when the first discovery of Prince of Persia or INFI, they used just three command and control server and the URL, the link to the C2 server was embedded in the malware. So once security researcher achieved access to this malware and analyze it to reverse engineering, you can see which URLs belongs to the C2 server and there are some mechanism to block the traffic or either intercept or take down those C2 servers. So once they had a takedown like that in 2016, it took them a year and they develop from scratch a new infrastructure that the C2 server now is not fixedly embedded in the malware samples. They use a concept called dga. It stands for domain generation algorithm. So based on time and formula and algorithm, they can calculate 100 different domain names for the command and control servers and it change every week because of this formula. And by that every week they have a different domain name. So it's much more difficult and sometimes even impossible to do a takedown like this suffer from. In 2016 they also do C2 verification. So even if I as a researcher capture their new malware, analyze it and understand the algorithm and I can forecast future domain names and I can purchase the domain name because it's public from an Austin company before them, and hopefully I will get all the traffic from all the victims machines that the malware infected. But because of this C2 server verification, only if I have in my possession the private key that used to encrypt a file stored in the C2 server and the malware, download it, try to decrypt it with embedded public key only if this succeeded, then the malware trust the command and control server. If not, it will continue to the next server from the 100 list generated for this week. So even when I tried to do that, the malware didn't trust me and did not communicate with me. So I didn't get the traffic and I couldn't take down the infrastructure or the campaign.

A

We'll be right back. Cyber threats strike in minutes. Your analysis can't take weeks. That's where Velox Reverser from Booz Allen comes in. It's an autonomous malware reverse engineering and threat threat intelligence product that turns weeks of painstaking manual analysis into minutes of AI powered insights. With Velox Reverser security teams can perform deep analysis to learn how malware works and how to stop it. It's an advanced product that works at machine speed. If you need to outpace evolving adversaries and strengthen your defense at scale, Request a demo or start your 30 day free trial of Velox Reverser today at Booz Allen.com Reverser. Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless, transform complexity into simplicity, and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire. Now that's interesting. I mean, it does point to the sophistication that you mentioned. The report highlights multiple malware families. Can you sort of take us through the roles that these play in the attack chain? How does the malware actually do its business?

B

Of course. So in this report we found out that there are several attack vectors. Some of them rely on phishing email which contains innocent look like innocent office file windows office file. But once you click on them there is a macro code running and infecting the machine with the first stage malware. So in the malware code there is an attempt to masquerade as a French actor because the name Fouger I pronounce it well. In French it means lightning in in English. So the lighting it first and gather information that can classify if this machine belongs to the targeted victim that they expected to target and if his computer is interesting, because the victim can be interesting from their perspective. But if he doesn't use the machine and doesn't communicate with it, or doesn't communicate with others using it, or doesn't stop sensitive information, maybe it's not interesting for them. So the first tool just use like gathering information basic information about if the user is an admin or not admin, what is the operating system. It's also installed a keystroke logger. So every keystrokes that the it in in this machine the the Tetra tool will get. And if they decide this is valuable, victim fodder will download and execute from the command and control server. The second stage, which is a full surveillance tool called toner and tonner. In English it means thunder. So the thunder comes after the lightning in nature and also in this attack. And this is a full surveillance tool. It includes very sophisticated capabilities like capturing and gathering or exfiltrating files, exfiltrating screen capture every five minutes. Like they have a model that they can enable that will allow them to capture the microphone so they can listen to what is speaking in the room next to a laptop, for example, that is infected. And they can also run command in real time for their choice and get the output immediately. So this is just part of the capabilities of toner. And we also found that during the years of between 2017 and 2021 at least there were other attack vectors leading to the chain of folder and tonair. They used software, the installer was infected. There is a software called Deep Freeze. It's legit software that allows the user to like a virtual machine to restore the machine back to a clean image. So let's say he would like to do something that you will. You will suspect that it's like maybe dangerous for him. For example, an oppositioner in Iran would like to speak with someone about the situation in Iran and he is afraid of the of the regime capturing his communication. So he might use this software in order to hide tracks. So the Iranian threat actor just infected this fake installer of this program. And once the victim installed this program, besides the program, it also infected itself with a malware. And we also had other variant. I will explain about just one of them they used. In 2017, they developed from scratch a program masquerading as a news software. The specific news outlet was AMAC News. This outlet was defined by the US as in relation to to ISIS back at that time. And it was. And the Iranian used this news finder software because maybe their victims were interested in ISIS news. And once you use this software, you were also infected with folder and tonair. So we believe that this is the only part of the attack vertical attack verticals that we were able to reveal, but probably there are many others that are unknown right now.

A

Well, the report mentions Persian language elements and some specific user handles seen in the infrastructure. You all are pretty confident in the Iranian attribution? Yes?

B

Yeah, yeah, we are 100% sure of the attribution, not just by the evidence in this research, but also in evidence in many research that we already published, but published by others. For example, after the takedown of our 2016 takedown of their campaign, it was proved that the Iranian government made some modification in the DNS servers in Iran. And they due to this change, they were able to recover access to the victims in Iran itself. They have between 30 to 50% of the victims in Iran itself. So they retain access to these victims. And the victims outside of Iran were not affected and they did not achieve access anymore to them. They need to attack them again in order to achieve access. But the only one who have access to this network, the DNS servers in Iran, are the Iranian government. And there are also other artifacts that are very strong that prove that it's an Iranian threat.

A

I see. Well, based on the information that you've gathered here, what are your recommendations for defenders? How should folks best protect themselves here?

B

Okay, that's a great question. So first of all, we published all of the indication of compromise. So if it's an enterprise or organization, they can search to see if they were infected or not. Also, there are some public sites for the public audience to the individuals that they can, if they suspect in a file, they can upload it for example for a Google site called virustotal.com and see if different antivirus engines if detect it as the Iranian malware or not. But it all starts from awareness. And so if you get suspicious email, it can be for fraud, it can be like cybercrime, but it can also be the Iranian government or other threat actors apts especially if you are involved in an activity that the Iranian regime might see as as a risk. So don't click on on links that you are unknown or suspicious. Don't open attachments from unknown sources. Make sure your antivirus is installed and up to date and you're using the latest operating system versions. This should keep you safe.

A

Our thanks to Tomer Bar from Safe Breach Labs for joining us. The research is titled Prince of Persia A Decade of Iranian Nation State Apt Campaign Activity under the Microscope we'll have a link in the Show Notes and that's Research Saturday, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes, were mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.

B

Foreign.

A

If you only attend one cyber security conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26 I'll see you in San Francisco.