Infy Malware – Almost 10 years of Espionage; One Family of Malware

May 19, 2016  |  Patrick Bedwell


As we all know, nothing on the internet never goes away. Ever. Exhibit A: Infy malware, identified by our friends at Palo Alto Networks’ threat research center as having been around since 2007 or earlier. PAN’s team has documented 40+ variants of a previously unpublished malware family, which it christened ‘Infy’.

Malware, which is a broadly used term for software that is written specifically to ruin your day, is an unwelcome aspect of the internet bathwater we all share. In the case of Infy, the threat arrives via an email with an attachment that carries a Self-Extracting Executable Archive (SFX) within a MS Word or PowerPoint file. Infy appears to be purpose-built to conduct espionage against specific government organizations and citizens, and not part of a broader campaign.

Infy tricks users into running the SFX by posing as a legitimate attachment. Once installed, Infy phones home to its Command and Control server, and then starts harvesting data (including running a key logger to steal everything the victim types, such as login credentials, and exifiltrating it).

Impact on you

Malware like Infy can stay undetected for years because of its specialized purpose and limited targets, which results in less exposure to threat detection technologies and researchers. Malware that utilizes keyloggers can lead to the compromise of any system or application protected by static credentials, since it enables the attacker to impersonate a legitimate user regardless of where the data resides. And, as users update their credentials or are granted access to new applications or systems, the keylogger will keep collecting those credentials and exfiltrating them.

How AlienVault Helps

The AlienVault Labs threat research team performs the threat research that most IT teams simply don’t have the expertise, time, budget, or tools to do themselves. AlienVault Labs Threat Intelligence drive the USM platform’s threat detection and prioritization capabilities by identifying the latest threats and researching how to detect and respond to them. And, the integration between our Open Threat Exchange (OTX) and your USM deployment means that you get alerted whenever indicators of compromise (IOCs) being discussed in OTX are present in your network.

The result is that USM customers are up to date on the latest threat vectors, attacker techniques and defenses. AlienVault Labs regularly updates the USM platform rule sets, eliminating the need for you to spend precious time conducting your own research on emerging threats, or on alarms triggered by your security tools.

New Detection Technique - Infy

Infy is a trojan that is spread utilizing a spear-phishing email carrying a Word or PowerPoint document. The attached document file contains a multi-layer Self-Extracting Executable Archive (SFX), and content that attempts to socially engineer the recipient into activating the executable.

We have added new IDS signatures and correlation rules to detect this activity:

  • System Compromise, Trojan infection, Infy

These updates are included in the latest AlienVault Threat Intelligence update available now for USM users. Visit the AlienVault Forums to keep up to date on the latest threat intelligence updates, product news, and engage with your fellow Aliens!

You can explore additional information related to this threat in the OTX, along with details on other trojans or spearphishing threats.

Share this with others

Get price Free trial