Iranian state-sponsored threat actors have been observed orchestrating spear-phishing campaigns targeting a prominent Jewish figure starting in late July 2024 with the goal of delivering a new intelligence-gathering tool called AnvilEcho.
Enterprise security company Proofpoint is tracking the activity under the name TA453, which overlaps with activity tracked by the broader cybersecurity community under the monikers APT42 (Mandiant), Charming Kitten (CrowdStrike), Damselfly (Symantec), Mint Sandstorm (Microsoft), and Yellow Garuda (PwC).
“The initial interaction attempted to lure the target to engage with a benign email to build conversation and trust to then subsequently click on a follow-up malicious link,” security researchers Joshua Miller, Georgi Mladenov, Andrew Northern, and Greg Lesnewich said in a report shared with The Hacker News.
“The attack chain attempted to deliver a new malware toolkit called BlackSmith, which delivered a PowerShell trojan dubbed AnvilEcho.”
TA453 is assessed to be affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), carrying out targeted phishing campaigns that are designed to support the country’s political and military priorities.
Data shared by Google-owned Mandiant last week shows that the U.S. and Israel accounted for roughly 60% of APT42’s known geographic targeting, followed by Iran and the U.K.
The social engineering efforts are both persistent and persuasive, masquerading as legitimate entities and journalists to initiate conversations with prospective victims and build rapport over time, before ensnaring them in their phishing traps via malware-laced documents or bogus credential harvesting pages.
“APT42 would engage their target with a social engineering lure to set-up a video meeting and then link to a landing page where the target was prompted to login and sent to a phishing page,” Google said.
“Another APT42 campaign template is sending legitimate PDF attachments as part of a social engineering lure to build trust and encourage the target to engage on other platforms like Signal, Telegram, or WhatsApp.”
The latest set of attacks, observed by Proofpoint starting July 22, 2024, involved the threat actor contacting multiple email addresses for an unnamed Jewish figure, inviting them to be a guest for a podcast while impersonating the Research Director for the Institute for the Study of War (ISW).
In response to a message from the target, TA453 is said to have sent a password-protected DocSend URL that, in turn, led to a text file containing a URL to the legitimate ISW-hosted podcast. The phony messages were sent from the domain understandingthewar[.]org, a clear attempt to mimic ISW’s website (“understandingwar[.]org”).
“It is likely that TA453 was attempting to normalize the target clicking a link and entering a password so the target would do the same when they delivered malware,” Proofpoint said.
In follow-up messages, the threat actor was found replying with a Google Drive URL hosting a ZIP archive (“Podcast Plan-2024.zip”) that, in turn, contained a Windows shortcut (LNK) file responsible for delivering the BlackSmith toolset.
AnvilEcho, which is delivered by means of BlackSmith, has been described as a likely successor to the PowerShell implants known as CharmPower, GorjolEcho, POWERSTAR, and PowerLess. BlackSmith is also designed to display a lure document as a distraction mechanism.
It’s worth noting that the name “BlackSmith” also overlaps with a browser stealer component detailed by Volexity earlier this year in connection with a campaign that distributed BASICSTAR in attacks aimed at high-profile individuals working on Middle Eastern affairs.
“AnvilEcho is a PowerShell trojan that contains extensive functionality,” Proofpoint said. “AnvilEcho capabilities indicate a clear focus on intelligence collection and exfiltration.”
Some of its important functions include conducting system reconnaissance, taking screenshots, downloading remote files, and uploading sensitive data over FTP and Dropbox.
“TA453 phishing campaigns […] have consistently reflected IRGC intelligence priorities,” Proofpoint researcher Joshua Miller said in a statement shared with The Hacker News.
“This malware deployment attempting to target a prominent Jewish figure likely supports ongoing Iranian cyber efforts against Israeli interests. TA453 is doggedly consistent as a persistent threat against politicians, human rights defenders, dissidents, and academics.”
The findings come days after HarfangLab disclosed a new Go-based malware strain referred to as Cyclops that has been possibly developed as a follow-up to another Charming Kitten backdoor codenamed BellaCiao, indicating that the adversary is actively retooling its arsenal in response to public disclosures. Early samples of the malware date back to December 2023.
“It aims at reverse-tunneling a REST API to its command-and-control (C2) server for the purposes of controlling targeted machines,” the French cybersecurity company said. “It allows operators to run arbitrary commands, manipulate the target’s filesystem, and use the infected machine to pivot into the network.”
It’s believed that the threat actors used Cyclops to single out a non-profit organization that supports innovation and entrepreneurship in Lebanon, as well as a telecommunication company in Afghanistan. The exact ingress route used for the attacks is presently unknown.
“The choice of Go for the Cyclops malware has a few implications,” HarfangLab said. “Firstly, it confirms the popularity of this language among malware developers. Secondly, the initially low number of detections for this sample indicates that Go programs may still represent a challenge for security solutions.”
“And finally, it is possible that macOS and Linux variants of Cyclops were also created from the same codebase and that we have yet to find them.”
