A recent spear phishing campaign attributed to the Iranian state-aligned threat actor group TA453, also known as Charming Kitten, has targeted a prominent Jewish figure by masquerading as a representative from the Institute for the Study of War (ISW). The campaign, first detected on July 22, 2024, involved using fake podcase invitations to deliver a sophisticated new malware toolkit named BlackSmith, ultimately installing AnvilEcho Trojan.
The attack began with TA453 contacting multiple email addresses associated with the target, including both personal and organisational accounts.
The attackers, posing as the Research Director for ISW, invited the target to participate as a guest on a podcast, a social engineering tactic aimed at building credibility and trust.
Once the target responded, TA453 escalated the attack by sending a password-protected DocSend URL, which led to a legitimate ISW podcast link — a move likely intended to condition the target to click links and enter passwords.
After further communication, the threat actors sent a Google Drive link containing a ZIP archive titled ‘Podcast Plan-2024.zip.’ This ZIP file contained an LNK file that, when opened, deployed the BlackSmith toolset, eventually leading to the installation of the AnvilEcho PowerShell Trojan.
When researchers dived deeply into the campaign, they discovered that TA453 continues to rely on modular PowerShell backdoors, a hallmark of their previous operations. However, what sets this campaign apart is the introduction of AnvilEcho.
This led the researchers to believe that this campaign represents an evolution in their tactics, combining multiple malware functionalities into a single, comprehensive PowerShell script.
“The toolset observed in this infection chain is likely the successor of GorjolEcho/PowerStar, TAMECURL, MischiefTut, and CharmPower. Proofpoint detected the first TA453 backdoor in Fall 2021,” the researchers observed. “Rather than deeply each PowerShell module separately, TA453 attempts to bundle the entire framework into a single large PowerShell script dubbed AnvilEcho by Proofpoint.”
The infection chain begins with the LNK file, which extracts several components to the system’s temporary folder. These include multiple DLL files and an encrypted PowerShell script named ‘qemus,’ which forms the core of the AnvilEcho trojan.
The installer, disguised as a JPEG file, uses steganography to hide additional malicious code. Once installed, the malware performs various tasks, including bypassing antivirus protections, conducting system reconnaissance, and establishing persistent access to the compromised systems.
AnvilEcho, the final payload, is designed for intelligence collection and exfiltration. It communicates with a command-and-control (C2) server hosted at deepspaceocean[.]info, using an array of encryption and network communication functions.
The trojan can execute various commands, from taking screenshots to uploading files to FTP or Dropbox servers.
Researchers believe that TA453’s activities are related to the intelligence-gathering objectives of the Iranian government, specifically the Islamic Revolutionary Guard Corps Intelligence Organisation (IRGC-IO). The group’s tactics, techniques, and procedures (TTP) are similar to other well-known Iranian threat actors, including Microsoft’s Mint Sandstorm and Mandiant’s APT42.
Geopolitical situations have begun to emerge in the digital landscape, with countries trying hard to uncover each other’s secrets using sophisticated phishing methods. The use of seemingly innocuous podcast invitations and the deployment of advanced malware highlights the growing threat posed by state-sponsored actors in the cyber domain.
“TA453 uses many different social engineering techniques to try and convince targets to engage with malicious content. Like multi-persona impersonation, sending legitimate links to a target and referencing a real podcast from the spoofed organization can build user trust. When a threat actor builds a connection with a target over time before delivering the malicious payload, it increases the likelihood of exploitation,” researchers concluded.
In the News: PHP vulnerability exploited by hackers targeting Taiwan