Multinational Attack Campaign By Iranian APT Group Targets Government Organizations

  • The email campaign targeted organizations in Turkey, Jordan, Iraq, as well as global government organizations.
  • The threat actors used a list of valid user accounts from the target domain in conjunction with a weak password list to determine potentially accessible accounts.

A new credential-stealing malware dubbed ForeLord was found targeting potential victims via spear-phishing emails. Meanwhile, the researchers have attributed the campaign to a known Iranian advanced persistent threat (APT) group.

What happened?
The phishing email scam was reportedly observed between mid-2019 and mid-January 2020. 

  • The email campaign targeted organizations in Turkey, Jordan, Iraq, as well as global government organizations and some unknown entities in Georgia and Azerbaijan.
  • The analyzed samples revealed that this campaign could be by the Cobalt Ulster threat group (also known as MuddyWater, Seedworm, TEMP.Zagros, and Static Kitten).
  • Historically, this group has been targeting government victims in the Middle East to exfiltrate data.

The malware is named ForeLord because once the malware connects to the C2 servers, it receives a string of code that says “lordlordlordlord.”

How does it work?
In this campaign, researchers observed multiple emails using malicious attachments to gain initial access. Whereas, Cobalt Ulster is known for using a government agency, university or intelligence organization-related theme as a hook. The recent campaign used a more generic style, as per researchers.

  • Victims are asked to open a ZIP archive containing a malicious Excel file.
  • Then an open request is made to enable-view the document.  
  • Once enabled, the malware disables the security controls and the malicious code runs in the victims’ systems.
  • ForeLord drops several tools used to collect critical information and credentials. 
  • It further tests those credentials on the network and creates a reverse SSL tunnel to provide an additional access channel for the hacked network.

Closing lines
Researchers added, “The threat actors used a list of valid user accounts from the target domain in conjunction with a weak password list to determine potentially accessible accounts.” “The password list could be augmented to test credentials captured from credential-dumping tools,” they added.