Iranian APT Targets Govs With New Malware


Level 69
Content Creator
Malware Hunter
Aug 17, 2014
A never before seen credential-stealing malware, dubbed ForeLord, has been uncovered in recent spear phishing emails. Researchers have attributed the campaign to a known Iranian advanced persistence threat (APT) group.

The emails distributing ForeLord were uncovered as part of a campaign, running between mid-2019 and mid-January 2020. The emails were targeting organizations in Turkey, Jordan, Iraq, as well as global government organizations and unknown entities in Georgia and Azerbaijan, researchers said Wednesday at the RSA Conference, which takes place this week.

Citing victimology and code similarity between the macros in analyzed samples, and macros documented in open-source reporting, researchers have attributed the campaign to the Cobalt Ulster threat group (also known as MuddyWater, Seedworm, TEMP.Zagros, and Static Kitten). This APT group has historically targeted government victims in the Middle East to exfiltrate data.

“Cobalt Ulster is an active threat group whose operations are continuous. We believe this adversary is still actively working towards achieving their strategic objectives,” Allison Wikoff, senior security researcher at Secureworks told Threatpost.

As part of the campaign, researchers observed multiple emails using malicious attachments to gain initial access. While historically spear phishing emails by Cobalt Ulster use a government agency, university or intelligence organization-related theme as a hook, this most recent campaign used a “more generic style,” researchers said.

“It was generic in the sense that we have observed numerous threat groups, targeted and commodity, use the tactic observed in the lures,” Wikoff told Threatpost. “Specifically, this tactic employs a generic ‘Enable Macro’ prompt to view the document contents. If the victim does this, the malicious code is executed. This tactic is not unique to Cobalt Ulster.”