Iranian APT Targets Govs With New Malware

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
A never before seen credential-stealing malware, dubbed ForeLord, has been uncovered in recent spear phishing emails. Researchers have attributed the campaign to a known Iranian advanced persistence threat (APT) group.

The emails distributing ForeLord were uncovered as part of a campaign, running between mid-2019 and mid-January 2020. The emails were targeting organizations in Turkey, Jordan, Iraq, as well as global government organizations and unknown entities in Georgia and Azerbaijan, researchers said Wednesday at the RSA Conference, which takes place this week.

Citing victimology and code similarity between the macros in analyzed samples, and macros documented in open-source reporting, researchers have attributed the campaign to the Cobalt Ulster threat group (also known as MuddyWater, Seedworm, TEMP.Zagros, and Static Kitten). This APT group has historically targeted government victims in the Middle East to exfiltrate data.

“Cobalt Ulster is an active threat group whose operations are continuous. We believe this adversary is still actively working towards achieving their strategic objectives,” Allison Wikoff, senior security researcher at Secureworks told Threatpost.

As part of the campaign, researchers observed multiple emails using malicious attachments to gain initial access. While historically spear phishing emails by Cobalt Ulster use a government agency, university or intelligence organization-related theme as a hook, this most recent campaign used a “more generic style,” researchers said.

“It was generic in the sense that we have observed numerous threat groups, targeted and commodity, use the tactic observed in the lures,” Wikoff told Threatpost. “Specifically, this tactic employs a generic ‘Enable Macro’ prompt to view the document contents. If the victim does this, the malicious code is executed. This tactic is not unique to Cobalt Ulster.”
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top