Iranian threat actor TA453 launched a phishing campaign targeting a prominent religious figure with a fake podcast invitation aiming to deliver a new malware toolkit, BlackSmith, containing a PowerShell trojan named AnvilEcho.
AnvilEcho, consolidating TA453’s previous malware functionalities into a single script, uses encryption and network communication similar to past campaigns, whose purpose is to gather intelligence and exfiltrate data.
TA453 launched a phishing campaign targeting a prominent Jewish figure on July 22, 2024.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
Posing as the Research Director of the Institute for the Study of War, the attacker lured the target with a podcast invitation.
Upon receiving a response, the attacker sent a password-protected DocSend link containing a legitimate ISW podcast URL, which likely served as a social engineering tactic to condition the target into clicking links and entering passwords, potentially preceding a malware delivery attempt.
A cyber threat group launched a phishing campaign in February 2024 targeting a religious figure by impersonating the Institute for the Study of War (ISW) via a spoofed domain and sending a fake podcast invitation to both the target’s work and personal email addresses.
To further legitimize the attack, TA453 used emails from a controlled domain and included a Hotmail account in the signature.
After gaining the target’s trust, they sent a Google Drive link containing a malicious LNK file disguised as a podcast plan.
Clicking the LNK would deploy BlackSmith, a toolset that ultimately delivers TA453’s AnvilEcho PowerShell Trojan.
TA453 continues to leverage PowerShell backdoors, evolving its tactics to evade detection and featuring a monolithic PowerShell script dubbed AnvilEcho, consolidating previously separate modules for streamlined deployment.
By obscuring the infection chain, TA453 aims to hinder analysis and intelligence gathering, demonstrating persistence in its modular backdoor approach, likely a successor to tools like GorjolEcho, TAMECURL, and CharmPower.
The BlackSmith malware infection chain starts with a disguised LNK file that drops a ZIP archive containing malicious DLLs and a steganographically hidden PowerShell script within a PNG image.
An installer, soshi.dll, creates a persistence mechanism and retrieves missing components from a TA453-controlled server.
The stager, toni.dll, bypasses antivirus, decrypts the PowerShell loader and then executes the AnvilEcho script, which focuses on exfiltration.
AnvilEcho establishes communication with the C2 server, generates a unique identifier, and offers various functionalities for data theft through its encryption and network communication modules.
It is a PowerShell trojan by TA453 (Charming Kitten) and uses Redo-It for orchestration and Do-It for execution of commands received from the C2 server deepspaceocean.info.
Redo-It gathers system reconnaissance information and sends it to the TA453 infrastructure after encryption, while Do-It executes various functionalities based on the received commands, including taking screenshots, uploading and downloading files, and collecting audio recordings.
According to Proofpoint, the Iranian government’s interests are likely supported by TA453’s use of this information for the purpose of intelligence collection.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces