Palo Alto Networks researchers Tomer Bar and Simon Conant spotted an Iranian malware family, dubbed Infy, which has targeted governments, businesses, and Iranian citizens for nearly a decade.
Researchers said in a May 2 Palo Alto Networks report the malware family had been used in attacks dating back to 2007 and is being spread via spearphishing emails carrying a malicious Word or PowerPoint document.
In May 2015, researchers first identified the malware in two emails, carrying malicious documents that were sent from a compromised Israeli Gmail account to an industrial organization.
The malicious attachments contain a “multi-layer Self-Extracting Executable Archive (SFX)” that is designed to trick the user into activating the executable, researchers said.
In one example, researchers spotted a malicious PPS file that, when clicked, opened in “PowerPoint Show mode” to reveal what appears to be a paused movie. When the user attempted to play the movie they he or she is prompted to click “Run” which allows the embedded SFX file to execute.
Based on the information obtained from the malicious documents, researchers identified and collected over 40 variations of the "previously unpublished malware" that was reclassified into the newly discovered malware family.
“We believe that we have uncovered a decade-long operation that has successfully stayed under the radar for most of its existence as targeted espionage originating from Iran,” researchers said.
Palo Alto Networks Intelligence Director Ryan Olson told SCMagazine.com via emailed comments that the malware went noticed because the malware's authors weren't very active.
“Due to the low volume of (very targeted) attacks, it didn't receive attention or scrutiny and wasn't publicly reported,” he said.
Olson said there is a newer version of the malware with features designed to capture data including the ability to compromise the victim's microphone.
He explained most users are unlikely to be targeted by the malware, but added, users should always be careful of social engineering attacks.
