Category | Details |
---|---|
Threat Actors | Iranian Threat actor TA453 (Charming Kitten), likely supporting Iranian government interests, specifically the IRGC Intelligence Organization (IRGC-IO). |
Campaign Overview | Fake podcast invitation sent to a religious figure, leading to the delivery of BlackSmith malware, specifically the AnvilEcho PowerShell Trojan. Targeted intelligence gathering. |
Target Regions (Victims) | High-profile targets, including a prominent Jewish figure and likely other political and diplomatic entities. |
Methodology | Social engineering through multi-email phishing and fake podcast invitations. Use of ZIP archives, LNK files, and obfuscated PowerShell scripts to deliver malware. |
Product Targeted | Intelligence gathering and exfiltration using PowerShell malware, mainly targeting political and diplomatic figures. |
Malware Reference | BlackSmith malware toolkit (AnvilEcho PowerShell Trojan). Previous tools include GorjolEcho, PowerStar, and MischiefTut. |
Tools Used | LNK files, PowerShell, ZIP archives, steganography (used in Beautifull.jpg), various DLL files (soshi.dll, toni.dll), C++ toolset for BlackSmith, and various network C2 servers. |
Vulnerabilities Exploited | Malware uses multiple evasion techniques, such as bypassing SSL certificate validation, disabling antivirus detection, and obfuscating execution paths. |
TTPs | Phishing with fake invitations, PowerShell scripting for remote access, use of encrypted C2 channels, and exfiltration via FTP/Dropbox. |
Attribution | TA453 is assessed to operate in support of the IRGC-IO, with links to other Iranian-aligned threat groups (e.g., APT42). |
Recommendations | Enhanced phishing detection, network monitoring for unusual traffic, and blocking known C2 domains. |
Source | Proofpoint analysis of the malware and campaign, with references to various external sources confirming TA453’s activities. |
Read full article: https://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering
The above summary has been generated by an AI language model
Leave a Reply