The team hacking by Iran, known as COBALT ULSTER or MuddyWater, is behind this attack and is believed to be retaliatory actions against USA, on the death of Iranian General Soleimani on January 2, 2020.
This group as it is ascertain since last year, it has introduced a new set of holdings in its arsenal as well as tactics, techniques and procedures so it can target government entities and telecommunications sectors.
The researchers also identified a series of malicious campaigns that took place from mid-2019 to mid-January 2020 and targeted government organizations in Turkey, Jordan and Iraq.
What is ForeLord?
It's a trojan remote access, often distributed through a malicious excel document containing a macro with a secret mechanism that creates persistence.
In the initial phase of the attack, malware sends emails that deliver a ZIP file containing malicious files Excel.
This malicious Excel file is used as a macro to assist with the installation of ForeLord RAT, while at the same time the malicious document uses cmd.exe to execute a batch script to add a key to the registry that will allow it to remain on the system even when the victim restarts.
Once the malware gets access, in this case Iranian hackers download various tools, such as PasswordDumper.exe, PASS32.dll, Mimikatz and others, to collect credentials, check the credentials on the network, and create a reverse. SSL tunnel to provide an additional access channel to network.
Specifically, one of the open source penetration control tools, known as CredNinja.ps1, is used in this attack to collect credentials.
Finally, they use another tool called Secure Socket Funneling, a network tool, and a set of tools for forwarding stolen data from multiple slots, through a single TLS tunnel to a remote computer.