TA453 Hackers Using Fake podcast To Deliver New BlackSmith Malware Toolkit


Iranian threat actor TA453 launched a phishing campaign targeting a prominent religious figure with a fake podcast invitation aiming to deliver a new malware toolkit, BlackSmith, containing a PowerShell trojan named AnvilEcho. 

AnvilEcho, consolidating TA453’s previous malware functionalities into a single script, uses encryption and network communication similar to past campaigns, whose purpose is to gather intelligence and exfiltrate data. 

EHA

TA453 launched a phishing campaign targeting a prominent Jewish figure on July 22, 2024.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

Posing as the Research Director of the Institute for the Study of War, the attacker lured the target with a podcast invitation. 

Initial July 2024 approach from TA453. 

Upon receiving a response, the attacker sent a password-protected DocSend link containing a legitimate ISW podcast URL, which likely served as a social engineering tactic to condition the target into clicking links and entering passwords, potentially preceding a malware delivery attempt.  

A cyber threat group launched a phishing campaign in February 2024 targeting a religious figure by impersonating the Institute for the Study of War (ISW) via a spoofed domain and sending a fake podcast invitation to both the target’s work and personal email addresses. 

To further legitimize the attack, TA453 used emails from a controlled domain and included a Hotmail account in the signature. 

After gaining the target’s trust, they sent a Google Drive link containing a malicious LNK file disguised as a podcast plan.

Clicking the LNK would deploy BlackSmith, a toolset that ultimately delivers TA453’s AnvilEcho PowerShell Trojan.  

Fake podcast invitation containing a malicious URL. 

TA453 continues to leverage PowerShell backdoors, evolving its tactics to evade detection and featuring a monolithic PowerShell script dubbed AnvilEcho, consolidating previously separate modules for streamlined deployment. 

By obscuring the infection chain, TA453 aims to hinder analysis and intelligence gathering, demonstrating persistence in its modular backdoor approach, likely a successor to tools like GorjolEcho, TAMECURL, and CharmPower. 

Timeline of TA453 malware.  

The BlackSmith malware infection chain starts with a disguised LNK file that drops a ZIP archive containing malicious DLLs and a steganographically hidden PowerShell script within a PNG image. 

An installer, soshi.dll, creates a persistence mechanism and retrieves missing components from a TA453-controlled server.

The stager, toni.dll, bypasses antivirus, decrypts the PowerShell loader and then executes the AnvilEcho script, which focuses on exfiltration. 

PDF displayed to the user to obfuscate BlackSmith installation. 

AnvilEcho establishes communication with the C2 server, generates a unique identifier, and offers various functionalities for data theft through its encryption and network communication modules. 

It is a PowerShell trojan by TA453 (Charming Kitten) and uses Redo-It for orchestration and Do-It for execution of commands received from the C2 server deepspaceocean.info. 

Redo-It gathers system reconnaissance information and sends it to the TA453 infrastructure after encryption, while Do-It executes various functionalities based on the received commands, including taking screenshots, uploading and downloading files, and collecting audio recordings. 

According to Proofpoint, the Iranian government’s interests are likely supported by TA453’s use of this information for the purpose of intelligence collection.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces



Source link