Iranian cybercrime group TA453 launches new malware BlackSmith

Dangerous new attack
Iranian hacker group deploys new BlackSmith malware

The Iranian cybercrime group TA453, also known as Charming Kitten, has developed and deployed a new malware toolset called BlackSmith to target a prominent religious figure, cybersecurity company Proofpoint reports in a recent blog post.

Joshua Miller, Senior Threat Researcher at Proofpoint, summarizes the research findings summarizes: “TA453 phishing campaigns we have observed reflect the priorities of the Islamic Revolutionary Guard Corps' intelligence agency more broadly. This malware deployment, which targets a prominent Jewish figure, likely supports ongoing Iranian cyber activities against Russian interests. TA453 is a serious threat to politicians, human rights activists, dissidents, and academics.”

TA453 contacted the target on July 22 of this year using various email addresses, both professional and personal, posing as the research director of the Institute for the Study of War (ISW). The email invited the victim to be a guest on an ISW ​​podcast. After the target responded, TA453 sent a password-protected DocSend link that led to a text file with a link to the legitimate ISW podcast. According to Proofpoint experts, TA453 likely wanted to create a habituation effect. The goal was to get the potential victim to click on links and enter passwords in the future when malware was sent later.

In a follow-up email, TA453 then sent a GoogleDrive link to a ZIP archive containing a LNK file with the BlackSmith toolset and the AnvilEcho PowerShell Trojan. The LNK file hides behind a decoy PDF and generates the contents of the ZIP folder.

Proofpoint's malware analysis shows that TA453 attempts to evade detection measures by complicating the infection chain. Instead of using separate PowerShell modules as before, BlackSmith now bundles the entire framework into a single large PowerShell script called AnvilEcho. This contains extensive reconnaissance and exfiltration capabilities that go beyond the capabilities of previous TA453 malware. This includes network connectivity, file searching, screenshots, audio recording, browser data theft, downloads and uploads.

AnvilEcho uses the domain deepspaceocean for control (C2)[.]info and communicates through encrypted channels. The malware also performs system analysis to collect information about antivirus software, operating system, IP address, installation paths, manufacturer, computer name, and username. This information is then encrypted and sent to the infrastructure controlled by TA453.

Although Proofpoint analysts cannot directly link TA453 to individual members of the Islamic Revolutionary Guard Corps (IRGC), they believe TA453 operates on behalf of the IRGC, specifically its intelligence division (IRGC-IO). The group's activities are designed to collect relevant information and thus likely advance the interests of the Iranian government. This assessment is based on a variety of evidence, including overlaps in unit numbering between Charming Kitten's reports and the IRGC units identified by PWC, the US Department of Justice's indictment of Monica Witt and IRGC-affiliated actors, and analysis of TA453's targets compared to the known priorities of the IRGC-IO. This unit collects intelligence and conducts operations in support of a variety of tasks.

TA453 uses many different social engineering techniques to trick targets into engaging with malicious content. Such as impersonating various identities Sending legitimate links to a target and pointing them to a real podcast from the fake organization can lead the potential victim to trust the supposedly legitimate conversation. If perpetrators build a relationship with a target over time before sending a dangerous payload, the likelihood of a successful attack increases.

With BlackSmith, TA453 has developed a sophisticated intelligence gathering toolkit and optimized its malware capabilities from a series of individual scripts to a full-fledged PowerShell Trojan, an important testament to how cybercriminals are constantly evolving and adapting their tactics, techniques, and procedures (TTPs).

(ID:50148789)