ForeLord

ForeLord is a backdoor Trojan that includes features for collecting credentials, similarly to spyware. Its campaign deployment methodology suggests attacks against business and government networks and harvesting login details for compromising additional networked machines. Users should watch for possible e-mail-based attacks and use anti-malware products for removing ForeLord as soon as possible.

Four Wicked Lords Cramming Themselves into One E-mail

Iran-based threat actors bear responsibility for a slew of different trojan campaigns. Whether it's the saboteur-like Dustman and ZeroCleare, the xHunt campaign, or the latest ForeLord, espionage is usually included somewhere along the way. ForeLord, a backdoor Trojan, also comes with a few 'extra' features that show the overlap between login-bypassing attacks and backdoor ones, just like APT39's ANTAK. Unlike the ANTAK RAT, however, ForeLord cracks instead of working around any login restrictions.

ForeLord – whose name comes from the 'lordlordlordlord' string that it receives after contacting its C&C server – is a Windows threat circulating with the assistance of corrupted e-mail attachments. The threat actor is using less-targeted content than usual for convincing workers into opening the attached files, which also requires further enabling macros before the Trojan's installation routine begins. After that, ForeLord proceeds with its opening salvo of attacks.

ForeLord includes several components that harvest credentials like passwords, which the threat actors use for traversing the rest of the network and infecting additional computers. A notable aspect of ForeLord is using a third-party CredNinja.Ps1 tool for testing the viability of any collected data. The anticipated abuse of CredNinja.Ps1 is for testing misappropriated passwords and usernames with login requirements. However, attackers also can add additional information for improving the combination choices.

Malware analysts also note the implementation of a reverse SSL tunnel as a 'backup' communication channel. SSL abuse is a useful technique in higher-level threats, such as the Point-of-Sale Trojan, NitlovePoS.

Rejecting Lordly Authority Extending Over Your Network

ForeLord conforms to the common goals of Iran government-backed hacking organizations. Despite doing so, it also has a distinct pivot in its infection vectors during attacks throughout 2019 and early 2020. Although e-mail remains the usual channel for the infection attempts, ForeLord's e-mail attacks don't use the government, business industry, or entity-specific information that similar phishing lures employ. The more generic nature of the content of ForeLord's e-mails and attachments implies that the Iranian threat actor is testing success rates with different methods of social engineering.

Thankfully, such details have little impact on the primary defenses any workers can take against ForeLord's e-mails. Disabling macros, and leaving them so, will prevent current drive-by-downloads from ForeLord's attachments from succeeding. Additionally, malware analysts recommend using strong passwords and updating software as advisable precautions while working within any internet-accessible network.

Infection prevention from the outset is always recommendable, but most anti-malware products also should be capable of deleting ForeLord as necessary. Doing so doesn't resolve all issues arising from the breach, however, such as collected passwords.

ForeLord is another, modernized tool for spying on computers efficiently and with few signs of its presence. Network admins should take heed that Iran's APTs remain industrious at gaining access to intelligence even if they have to break laws to do so.