Shadow

Over the last decade, the Infy malware family has been out and about and successfully operating mostly under the radar. It was first discovered in 2015 while used in attacks on an Israeli industrial target, as well as a U.S. government target. These attacks led to the detection of a whole malware campaign and infrastructure that includes over 40 variants of malware.

 

The Infy malware family uses spear-phishing emails with Word or Powerpoint attachments as the infection vector. Hidden within these legitimate-looking documents are self-extracting executable (SFX) archives. The threat actors then use social engineering techniques to lure the victim into running the SFX, in which a malicious .exe waits to pull a payload DLL.

 

The malware waits until reboot, and then checks for antivirus software on the victim’s machine using a list of several common AV installation directories. If the AV found poses a threat to the Infy installation, the malware will either abort, or connect to the C&C, pull the malicious Infy DLL, and install it using a different technique than initially planned. The malware's main functionality is data exfiltration - collection of environment data, keylogger function, password stealer, and cookie collection - which is sent back to the C&C servers.

 

The name "Infy" comes from a pattern that researchers noticed in various strings. Examples include filenames (“infy74f1.exe"), C2 strings (“subject=INFY M 7.8”), and C2 folder names.

 

ThreatSTOP customers are protected from Infy.