Business as Usual For Iranian Operations Despite Increased Tensions (Feb 26, 2020)
Spearphishing campaigns targeting governmental, intergovernmental, and unknown entities located in Middle Eastern countries were found taking place from mid-2019 to mid-January 2020, according to SecureWorks Counter Threat Unit researchers. This activity is attributed to the Iran-sponsored Advanced Persistent Threat (APT) group “MuddyWater” (Cobalt Ulster). The spearphishing emails contained zip archives that contained a Microsoft Excel file (.xls), titled to be relevant to the target, requesting the recipient to enable content. Enabling content launches an embedded VBScript macro to begin the infection process for a previously unknown Remote Access Trojan (RAT) called “ForeLord.” The RAT was then used to download other tools to steal credentials, test the credentials on a target network, and subsequently create a reverse SSL tunnel for additional access.
Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.