Proofpoint details TA453βs targeting of a prominent religious figure via a fake podcast invitation, introducing a new BlackSmith malware toolkit that includes the AnvilEcho PowerShell trojan for intelligence gathering and exfiltration. The operation consolidates TA453βs capabilities into a single script and relies on social engineering and IRGC-aligned infrastructure to enable persistence and data exfiltration.
#TA453 #BlackSmith #AnvilEcho #IRGC #InstituteForTheStudyOfWar
#TA453 #BlackSmith #AnvilEcho #IRGC #InstituteForTheStudyOfWar
Keypoints
- TA453 impersonated the Institute for the Study of War to lure a prominent religious figure.
- The attack began with benign email interactions to build trust before delivering malicious content.
- BlackSmith toolkit was delivered via a ZIP file containing a malicious LNK file.
- AnvilEcho, the PowerShell trojan, consolidates previous malware capabilities into a single script.
- The malware employs encryption, obfuscation, and complex techniques to evade detection and facilitate intelligence collection.
- TA453βs activities align with Iranian government interests, particularly the IRGC.
MITRE Techniques
- [T1566] Phishing β TA453 used a fake podcast invitation to lure the target into clicking malicious links. Quote: βTA453 used a fake podcast invitation to lure the target into clicking malicious links.β
- [T1086] PowerShell β AnvilEcho is a PowerShell trojan designed for intelligence gathering and exfiltration. Quote: βAnvilEcho is a PowerShell trojan designed for intelligence gathering and exfiltration.β
- [T1071] Command and Control β Utilized domains like deepspaceocean.info for command and control communications. Quote: βUtilized domains like deepspaceocean.info for command and control communications.β
- [T1027] Obfuscated Files or Information β Malware uses obfuscation techniques to evade detection, such as hiding payloads in images. Quote: βMalware uses obfuscation techniques to evade detection, such as hiding payloads in images.β
- [T1003] Credential Dumping β Attempts to gather system information, including antivirus details and user credentials. Quote: βAttempts to gather system information, including antivirus details and user credentials.β
Indicators of Compromise
- [SHA256] LNK and ZIP hashes β 5dca88f08b586a51677ff6d900234a1568f4474bbbfef258d59d73ca4532dcaf, 5aee738121093866404827e1db43c8e1a7882291afedfe90314ec90b198afb36
- [File name] Podcast Plan 2024.lnk β LNK file delivering the BlackSmith toolset
- [File name] Podcast Plan-2024.zip β ZIP archive containing malicious components
- [Domain] understandingthewar.org β Lure domain used in the phishing chain
- [Domain] deepspaceocean.info β C2 domain referenced for communications
- [Domain] d75.site β Storage/decoy domain used in the chain
- [IP] 54.39.143.120 β C2 hosting infrastructure
- [IP] 54.39.143.117 β Co-hosted TA453 infrastructure
- [File name] Beautifull.jpg β Decoy image carrying steganographic payload
- [File name] mary.dll β Helper/delivery component used by BlackSmith
- [File name] qemus β AnvilEcho payload (encrypted) referenced in the chain
- [File name] soshi.dll β Installer component used by BlackSmith
- [File name] toni.dll β Service for persistence