Since late July 2024, Iranian state-sponsored threat actors have been seen running phishing campaigns targeting a prominent Jewish figure to deliver a new intelligence-gathering tool called AnvilEcho.
Enterprise security company Proofpoint tracks activity called TA453, which intersects with activity tracked by the broader cybersecurity community under the aliases APT42 (Mandiant), Charming Kitten (CrowdStrike), Damselfly (Symantec), Mint Sandstorm (Microsoft), and Yellow. Garuda (PwC).
“The initial interaction was trying to entice the subject to engage with the benign email to build conversation and trust, and then click on the next malicious link,” security researchers Joshua Miller, Georgi Mladenov, Andrew Northern and Greg Lesnevich said in a report shared with The Hacker News.
“The attack chain attempted to deliver a new malware toolkit called BlackSmith, which delivered a PowerShell Trojan called AnvilEcho.”
TA453 is believed to be linked to Iran’s Islamic Revolutionary Guard Corps (IRGC), which conducts targeted phishing campaigns aimed at supporting the country’s political and military priorities.
Last week, Google-owned Mandiant shared the data shows that the US and Israel account for approximately 60% of APT42’s known geographic targeting, followed by Iran and the UK
Social engineering efforts are persistent and persuasive, under the guise of legitimate organizations and journalists, to initiate conversations with potential victims and build relationships over time before ensnaring them in their phishing traps through malware-laden documents or fake credential collection pages.
“APT42 engages its target with a social engineering lure to set up a video meeting and then links to a landing page where the target will be asked to log in and sent to a phishing page,” Google said.
“Another APT42 campaign template sends legitimate PDF attachments as part of a social engineering lure to build trust and encourage the target to interact with other platforms such as Signal, Telegram or WhatsApp.”
The most recent series of attacks observed by Proofpoint, beginning on July 22, 2024, involved a threat actor contacting multiple email addresses of an unnamed Jewish individual, inviting them to be a guest on a podcast, posing as the director of research at the Institute for the Study of War (ISW ).
In response to a message from the target, TA453 is said to have sent a password-protected DocSend URL, which in turn led to a text file containing the URL of a legitimate podcast hosted on ISW. The fake messages were sent from the understandingthewar(.)org domain, an obvious attempt to impersonate ISW website (“understanding war(.)org”).
“It is likely that TA453 attempted to normalize the target by clicking the link and entering the password so that the target would do the same when it delivered the malware,” Proofpoint said.
In subsequent messages, the threat creator responded with a Google Drive URL that hosted a ZIP archive (“Podcast Plan-2024.zip”), which in turn contained the Windows Shortcut (LNK) file responsible for delivering the BlackSmith toolkit . .
AnvilEcho, supplied by BlackSmith, has been described as likely the successor yes PowerShell implants known as CharmPower, GorjolEcho, POWERSTAR and PowerLess. BlackSmith is also designed to display a decoy document as a distraction mechanism.
It should be noted that the name “BlackSmith” also intersects with the browser hijacking component in detail Volexity earlier this year in connection with a company that distributed BASICSTAR in attacks targeting high-ranking individuals working in Middle East affairs.
“AnvilEcho is a PowerShell trojan that contains extensive functionality,” Proofpoint said. “AnvilEcho’s capabilities indicate a clear focus on intelligence gathering and extraction.”
Some of its important features include performing system reconnaissance, taking screenshots, downloading remote files, and uploading sensitive data via FTP and Dropbox.
“TA453’s phishing campaigns (…) consistently reflect the IRGC’s intelligence priorities,” Proofpoint researcher Joshua Miller said in a statement shared with The Hacker News.
“This deployment of malware that attempts to target a prominent Jewish figure likely supports Iran’s ongoing cyber efforts against Israeli interests. TA453 is stubbornly consistent as a constant threat to politicians, human rights activists, dissidents and academics.”
These findings come days after HarfangLab revealed a new strain of Go-based malware called Cyclops, which may have been developed as a sequel to another backdoor codenamed Charming Kitten BelaChaoindicating that the adversary will actively retool its arsenal in response to public disclosures. The first samples of the malicious software date back to December 2023.
“It aims to reverse-tunnel the REST API to its Command and Control (C2) server for the purpose of controlling target machines,” the French cybersecurity firm said. said. “This allows operators to run arbitrary commands, manipulate a target’s file system, and use an infected machine to hack into a network.”
Threat actors are believed to have used Cyclops to target a non-profit organization that supports innovation and entrepreneurship in Lebanon, as well as a telecommunications company in Afghanistan. The exact infiltration route used for the attacks is currently unknown.
“The selection of the Go for the Cyclops malware has several consequences,” HarfangLab said. “First, it confirms the popularity of this language among malware developers. Second, the initially low number of detections for this sample indicates that Go programs may still present a challenge for security solutions.”
“And finally, it’s possible that the macOS and Linux versions of Cyclops were also built from the same codebase, and that we haven’t found them yet.”
