A shift to Telegram
More recently, the researchers identified a new Tonnerre variant that’s advertised as v50, as well as an unknown new Foudre version that goes along with it. These versions use a new C2 server structure and, most importantly, can download a file from the server that enables Telegram communication via its API.
The Telegram feature is enabled only for a select number of victims, but the researchers managed to use the API to query the configured Telegram channel. It had two members, one of which was a channel bot and one user named Ehsan written in Farsi, who could be one of the hackers in charge of controlling the malware and who was last active as of Dec. 13.
“Ehsan is a common Persian name typical for an Iranian,” the researchers said. “This attribution is pretty strong in combination with the IP location of the attacker’s testing machine. We tracked the IP addresses used over several years, all of which indicated Iran as the location. While different IP location databases provided different cities, all of them were in Iran.”
