TA453, an Iran-aligned actor, expanded its social engineering with Multi-Persona Impersonation (MPI), using multiple actor-controlled personas within a single email thread to boost campaign credibility. The technique targets researchers and nuclear security domains, leveraging coordinated personas to push credential-harvesting links and remote-template documents such as Korg, while CC’ing additional personas to reinforce legitimacy. #TA453 #MultiPersonaImpersonation #IRGC #CharmingKitten #Korg
Keypoints
- TA453 introduced Multi-Persona Impersonation (MPI) around mid-2022, using at least two personas on a single email thread.
- MPI increases resource use per target but boosts perceived authenticity through social proof and coordination among personas.
- The technique represents an evolution of TA453’s methods, with potential mitigation by cautious scrutiny of unsolicited outreach from unexpected sources.
- Typical campaigns involve impersonating journalists or researchers and steering targets toward credential harvesting links or malicious documents.
- In a notable MPI campaign, TA453 used multiple cc’d personas (e.g., Harald Ott, Claire Parry, Dr. Andrew Marshall) to lure a genome research target with a three-to-one impersonation and a malicious OneDrive link.
- TA453’s latest remote template injection, dubbed Korg, delivers Word documents that fetch templates/macros and exfiltrate data via Telegram.
- TA453 remains associated with IRGC-aligned objectives, with subgroups varying in victimology and tempo (weeks-long benign conversations vs immediate malicious links).
MITRE Techniques
- [T1566.002] Spearphishing Link – In MPI, TA453 delivers a OneDrive link that downloads a malicious Word doc named Ott-Lab 371.docx. “delivered a OneDrive link that downloaded a malicious Word doc named Ott-Lab 371.docx.”
- [T1221] Template Injection – Remote Template Injection is used to download and execute the Korg template/macros. “Similar to the document sent by ‘Harald,’ this document also used remote template injection to download Korg.”
- [T1567.002] Exfiltration to Web Service – Macros exfiltrate collected data via the Telegram API. “The macros collect information… and exfiltrates that information using the Telegram API.”
- [T1071.001] Web Protocols – Communications and data transfer occur via a web service (Telegram API) to exfiltrate data. (Context: use of Telegram API for data transfer in Korg template workflow.)
Indicators of Compromise
- [File hash] – Ott-Lab 371.docx – f6456454be8cb77858d24147b1529890cd06d314aed70c07fc0b5725ac84542b
- [File hash] – The possible US-Russia clash.docx – 16a961475a88313478bc2406d6b442be9809e64ea9e2a4754debcce9200cf36b
- [Domain] – 354pstw4a5f8.filecloudonline[.]com (host used to retrieve Korg macros)
- [Domain] – filecloudonline[.]com (host used to retrieve Korg macros)
- [URL] – OneDrive link delivering the malicious document (used in MPI campaign)