A recent malicious campaign by the Iranian threat actor TA453 has come to attention after the group had targeted a prominent Jewish religious figure (whose identity has been hidden for protection) with a fake podcast interview invitation.
The attack chain, which began in July 2024, employed a series of emails referring to a supposed podcast about ‘Exploring Jewish life in the Muslim World’, from a representative of the American non-profit think thank Institute for the Study of War, a legitimate organization dedicated to research under the topics of military defense and foreign affairs.
TA453 Deploys PowerShell Trojan Through Podcast Invite
The campaign began on July 22, 2024, when TA453 contacted multiple email addresses for the target figure, under the guise of representing the Research Director for the Institute for the Study of War (ISW). The lure was a podcast invitation, which the target responded to, and TA453 followed up with a DocSend URL that led to a password-protected text file containing a legitimate ISW podcast URL.
The researchers from Proofpoint believe this was likely an attempt to normalize the target’s behavior, making them more susceptible to clicking on malicious links in the future. The attackers then sent a Google Drive URL leading to a ZIP archive containing a malicious LNK file, which delivered the BlackSmith toolset, including the AnvilEcho PowerShell trojan.
The AnvilEcho malware is a PowerShell trojan that contains extensive functionality, including intelligence gathering and exfiltration capabilities. It uses encryption and network communication techniques similar to previously observed TA453 samples. The malware is designed to evade detection by bundling multiple capabilities into a single PowerShell script, rather than using a modular approach.
AnvilEcho uses a series of functions to encrypt, encode, and exfiltrate information, including Send-ReqPacket, FromEncrypt, From-Save, Encode, ToEncrypt, and Get-Rand. The malware also includes code for downloading and uploading files, as well as capturing screenshots and audio.
The malware’s C2 infrastructure is hosted on the domain deepspaceocean[.]info, which bears similarities to historical TA453 infrastructure. The AnvilEcho C2 server is designed to run continuously, periodically fetching commands from the remote server and executing them via the Do-It function. The Do-It function executes different sections of code based on the received command, including capabilities for network connectivity, file handling, screenshot capture, and audio exfiltration.
Along with the Do-it function, at the end of the 2200 lines of malware code, the Redo-It function serves as orchestration and management for all of the PowerShell commands within the malware. The Redo-It function also handles many other components of the malware such as key encryption, system reconnaissance upon the first run to collect antivirus information, Operating System information, Public IP Address, InstallationPath, Manufacturer, ComputerName, and UserName.
This data exfiltrated and encrypted by the Redo-It function is then sent to the TA453 attacker-controlled infrastructure. This function is designed for persistent execution, for periodically retrieving commands from the remote server, decrypting them, and executing them via Do-It.
Iranian Islamic Revolutionary Guard Corps Connection
These efforts of TA453 are likely in support of intelligence collection for the Iranian government, particularly the Islamic Revolutionary Guard Corps’ Intelligence Organization, according to the researchers.
While there is no direct link to individual members of the IRGC, the malware’s TTPs are consistent with previous reports of TA453 campaigns, including overlaps in unit numbering and targeting priorities. They believe the group also shares several similarities with the Charming Kitten APT group.
These tactics are an example of multi-persona impersonation, where threat actors send legitimate links to users to build upon trust from victims for later exploit.