Cobalt Ulster Strikes Again With New ForeLord Malware

Iranian us cyberattack

Threatpost talks to Alex Tilley, senior security researcher with Dell SecureWorks’ Counter Threat Unit Research Team, about a recently discovered campaign linked to an Iranian APT.

A new credential-stealing malware, dubbed ForeLord, has been uncovered in a recent spear phishing campaign. Researchers tie the attack to a known advanced persistence threat (APT) group known as Cobalt Ulster.

The emails distributing ForeLord were uncovered as part of a campaign, running between mid-2019 and mid-January 2020. The emails were targeting organizations in Turkey, Jordan, Iraq, as well as global government organizations and unknown entities in Georgia and Azerbaijan, researchers said last week at the RSA Conference.

Alex Tilley, senior security researcher with Dell Secureworks’ Counter Threat Unit Research Team, discussed the recent campaign with Threatpost at RSA.

See below for a lightly edited transcript of the video.

Lindsey O’Donnell Welch: Hi, everyone. I’m Lindsey O’Donnell-Welch with Threatpost and I’m here at RSA Conference 2020 in San Francisco, joined by Alex Tilley with Secureworks. Alex, thanks so much for joining me.

Alex Tilley: Thank you very much for having me.

LO: Yeah. How’s your RSA conference going?

AT: It’s been great. I’m just getting off my jet lag.

LO: Feel you there, definitely. It’s a little crazy. So I wanted to talk about cybercrime in general, but maybe just to start, Secureworks on Wednesday released a really interesting report about a threat group, an Iranian threat group, called Cobalt Ulster, which is also known as MuddyWater and has a couple of other names. And recently, you had been tracking this threat group and they had been targeting a couple of different government agencies across a couple different countries, and they were discovered to be distributing a new type of malware called ForeLord. So can you talk a little bit about the campaign from kind of a high-profile standpoint and what you found there?

AT: Definitely, it was a relatively straightforward sort of spear phishing campaign using malicious Excel spreadsheet documents, that sort of stuff, with macros attached to them. So you had to obviously enable the macros and let them execute, which is a security control that we have, but sort of everyone just gets around it by just saying “enable” and allowing it to do anything. But the interesting part about the malware is that some of its command and control was done via DNS text fields. And that was really interesting – it’s not unique, but it’s not common either, if that makes any sense. So it’s able to sort of tunnel, it’s trying to control via the DNS system, which will get around a lot of IDS’s [intrusion detection systems] and things that aren’t looking for it because traditionally, things aren’t looking at that information as being malicious. So it’s just a way of getting around any sort of detection controls or many detection controls.

LO: Is that something with this particular group you’re finding, are they constantly evolving to try to adapt to these new techniques and evade detection?

AT: Yeah, they definitely learn from previous mistakes, if that makes any sense, where maybe the comms are blocked without detected via standard means and they’re adapting and overcoming those blocks to sort of still get the signal out and still get the command and control and adapting to any problems they’ve faced.

LO: Right. So how does Cobalt Ulster compared to some of the other kind of APT and threat groups that you’re seeing from kind of the Iran standpoint, if that makes sense?

AT: Yeah, yeah. They’re using very similar techniques and tactics as other threat groups that you could describe to that region. But that is sort of showing that they have creativity in tooling. So I would say that targeting is still very state driven, if you will, it’s not going after just random people, it’s definitely sort of specifically targeted. But it shows that creativity.

LO: You guys had mentioned, what happened earlier in January with the US, you know, targeting the Iranian military official and kind of the backlash that that had caused. And essentially, what you had mentioned is that there’s still like, it’s going to take a little bit of time for any sort of cyber criminal activity to kind of crop out of that. I mean, is that correct?

AT: Yeah. So the phrase is sort of “at a time and place of their choosing,” if you will, so I think any sort of retaliation that comes, they will pick the tone place and the method in which they’ll have the retaliation for that killing. So this sort of activity could be the part of the building up of the positioning for that, it could be some other random activity. But history shows that when when they are provoked, as it were, there is a retaliation at some point down the line, and that could be, you know, seven weeks or seven months or seven years.

LO: Well, I do remember right after in January, there was some sort of like a very small US government website was defaced, but that ended up being like, essentially script kiddies. Yeah. So you know, I think there’s a lot of high alert, but not necessarily –

AT: Yeah. And I think a little patriotism as well.

LO: Right. That’s actually a good point. I wanted to ask too about kind of cybercrime as a whole, and some of the overarching trends you’re seeing there. And, you know, when we were just talking, you mentioned, ransomware is a big trend that we’re seeing right now. Is there anything from the cybercriminal perspective that really sticks out to you as a trend in 2020?

AT: Yeah, I think impact is the key word there. When they are hitting you, be it through fraud or a scam or ransomware or whatever. The impact of that event is massive these days because the crooks…  have that sophistication, they got that creativity in their attacks. And what we’re seeing, like the reason I mentioned ransomware was because what we’re seeing now is when companies do get attacked via ransomware, it’s big. And the ransoms are large, very large, and the damage is massive. So I think historically, we’ve sort of maybe seen ransomware has been more of an annoyance, as it were, and like, yeah, that’s just a background threat on a couple of workstations or whatever. Now, it’s shows the crooks are doing real homework on their targets. They’re trying to figure out, okay, who are these businesses? What do they do? Which of the businesses are going to be most impacted by being offline? And how much will they likely be able to pay? That’s why you see a lot of hospitals and health systems getting hit, because obviously they have to up and working. So obviously the criminals are definitely picking their targets based on likelihood of payment and how much and it’s brutal. But that’s sort of where we’re at these days, rather than being sort of spray and pray.

LO: Yeah, no, that’s a great point about the hospitals and I know too earlier in 2019, there was the whole Texas ransomware school system attack and kind of how that was being viewed as like a coordinated attack. And that really kind of elevated how ransomware was targeting different systems to so I thought, you know, that’s kind of interesting. And then also, we’re seeing a lot of ransomware attacks against industrial systems like Norsk Hydro and some of the other ones. So really targeting that downtime of operations, which is big for industrial and hospitals too as you said.

AT: Yeah, and it’s a real case of – I’ve been doing crime for a long time through police and banks, that sort of stuff. And we’re seeing a real emergence of cybercriminals showing that… they want to make you hurt as much as possible. And I think we’ve always sort of ascribed cybercrime as white collar, just nerds playing around. But I think what we’re seeing now this emergence of “No, no, I’m gonna hurt you, and you’re gonna pay me money,” which is what crime has always been, but we’ve always had this nice gentleman’s sort of divide, but I think they’re showing their true colors now.

LO: Right. And you mentioned it’s not just ransomware it’s like spam and phishing attacks. And I think I wrote a few weeks ago about a phishing website that they found where you put in your credentials, and it’s kind of a standard run of the mill phish and then they ask for your photo ID and then your credit card information and then your picture of your passport. So it really shows a lot of cybercriminals are trying to get as much as they can out of victims and like you said, really do that damage.

AT: Yeah, and we’re seeing the same thing with things like BEC, business email compromise, where they’re altering invoices out of companies and really hurting companies. We’re not just talking about “Okay, I’m going to do a single fraud event against a retail banking account for $5,000.” But rather, “I’m gonna cripple this business, and I’m going to take everything I possibly can from them, because I’m a criminal.”

LO: Well Alex, thank you so much for coming on and chatting with us. I hope you have a great rest of your show.

AT: Thank you very much.

Suggested articles