A state-sponsored Iranian group has recently initiated targeted spear-phishing endeavors towards an influential Jewish leader, using a novel information-gathering software titled AnvilEcho.
Researchers from the cybersecurity company Proofpoint have been monitoring these activities led by TA453 which align with other aliases recognized by cybersecurity groups such as APT42, Charming Kitten, Damselfly, Mint Sandstorm, and Yellow Garuda.
According to a report by security analysts Joshua Miller, Georgi Mladenov, Andrew Northern, and Greg Lesnewich shared with The Hacker News, the attackers’ strategy involved enticing the target into benign conversation before distributing a malware toolkit named BlackSmith, which deploys the AnvilEcho PowerShell trojan.
The TA453 group is believed to have ties with Iran’s Islamic Revolutionary Guard Corps (IRGC), executing tailored phishing campaigns to serve the nation’s political and military objectives.
Recent data released by Mandiant, owned by Google, revealed that APT42’s primary targets are the U.S. and Israel, accounting for approximately 60% of the attacks, followed by Iran and the U.K.
These phishing campaigns are persistent and convincing, appearing as reputable figures and reporters to initiate dialogues with potential targets, gradually trapping them with malware-infested documents or deceitful credential-gathering pages.
.</p>
<p>In further correspondence, TA453 forwarded a password-protected DocSend URL to the target, leading to a text file with a link to the authentic podcast hosted by ISW. The deceitful messages originated from the domain understandingthewar[.]org, mimicking the official ISW website.</p>
<p>Proofpoint speculated that TA453 was conditioning the target to interact with links and passwords to facilitate the malware delivery.</p>
<p>Subsequent messages sent a Google Drive URL containing a ZIP archive (“Podcast Plan-2024.zip”), holding a Windows shortcut (LNK) file that deployed the BlackSmith toolset.</p>
<p>AnvilEcho, distributed via BlackSmith, is considered a potential successor to PowerShell implants like CharmPower, GorjolEcho, POWERSTAR, and PowerLess, displaying a distracting document as a decoy.</p>
<p>Also noted is the name “BlackSmith,” linked to a browser-stealing element detailed by Volexity, associated with attacks on individuals involved in Middle East matters.</p>
<p>“AnvilEcho, a PowerShell trojan with diverse capabilities, focuses on intelligence retrieval and data exfiltration,” according to Proofpoint.</p>
<p>“The phishing campaigns by TA453 consistently align with IRGC intelligence interests,” remarked Proofpoint researcher Joshua Miller in a statement shared with The Hacker News.</p>
<p>“The deployment of this malware targeted at a notable Jewish figure likely supports ongoing Iranian cyber activities against Israeli concerns. TA453 persistently poses a threat to politicians, human rights advocates, dissidents, and educators.”</p>
<section class=)
These revelations come in the wake of HarfangLab disclosing a new Go-based malware (Cyclops) believed to be a successor to the Charming Kitten backdoor (BellaCiao). The malware was used to control targeted systems through reverse-tunneling a REST API to their command-and-control server.
The perpetrators potentially employed Cyclops to target a non-profit supporting innovation in Lebanon and a telecom company in Afghanistan, although the exact breach method remains unknown.
“Utilizing Go for the Cyclops malware has demonstrated the language’s growing popularity among malware creators. This sample’s low detection rate hints at the ongoing challenges for security software in countering Go programs,” mentioned HarfangLab.
“It’s possible that macOS and Linux variants of Cyclops exist, created from the same source code but yet to be identified.”
Found this article intriguing? Stay connected with us on Twitter ï‚™ and LinkedIn for more exclusive content.
About Author
