A well-known Iranian APT group has revamped its malware arsenal in a campaign against a prominent figure of the Jewish faith, security researchers have found. The new toolset, called BlackSmith, combines many features from the group’s previous tools with a new malware loader and a PowerShell-based Trojan, and may be used as part of a larger cyberespionage campaign targeting Israel and the US.
The group, tracked as TA453 by security researchers from Proofpoint, is also known in the security industry as Mint Sandstorm, APT42, Yellow Garuda, or Charming Kitten, and is believed to be associated with the Islamic Revolutionary Guard Corps, a major branch of the i -Iranian Armed Forces.
“Although Proofpoint analysts cannot directly link TA453 to individual members of the Islamic Revolutionary Guard Corps (IRGC), Proofpoint continues to assess whether TA453 is working in support of the IRGC, specifically the IRGC Intelligence Organization (IRGC-IO) ,” email and data security company researchers wrote in a BlackSmith toolkit report.
Researchers from Google’s Threat Analysis Group (TAG) recently reported an APT42 campaign targeting Israeli military, defense, diplomats, academics, and members of the public. TAG also confirmed that earlier this year APT42 targeted individuals connected to President Biden and former President Trump.
This month, Trump’s presidential campaign officials confirmed that hackers obtained sensitive information from the organization as a result of a successful phishing campaign. The US intelligence community officially attributed the attack to Iran and warned this week that campaigns of both political parties were targeted.
APT42 uses advanced phishing techniques that involve impersonating many organizations and individuals known to or of interest to their victims. Instead of delivering a brutal payout immediately, attackers strike long conversations with their targets first to build rapport and gain trust. Sometimes this involves impersonating more than one person, such as a well-known expert or academic, as part of a single email chain to build legitimacy.
Fake podcast invite
In the raid held by Proofpoint, which began at the end of July, TA453 posed as the research director of the Institute for the Study of War (ISW), a well-known think tank and research organization specializing in the analysis of armed conflicts. The target, a prominent Jew, was approached with an invitation to appear as a guest on the ISW podcast.
After the victim responded, the attackers traced the URL to DocSend, a document sharing service, which was password protected and hosted in a .txt file. The file was correct and contained a link to the official ISW podcast. Proofpoint researchers believe that by using this method, the attackers aimed to get used to clicking on the URL, entering the password and opening the file to the victim, so that they would feel safe doing the same in the future when a real malicious payload is delivered.
After another response from the victim to accept the invitation to participate in the podcast, the attackers sent another email with a URL to a password-protected ZIP archive hosted on Google Drive that they presented as a contract and podcast session plan.
BlackSmith infection chain leads to new Trojan AnvilEcho
This archive, named “Podcast Plan-2024.zip” contained an LNK (Windows) file that, when clicked, opened a deceptive PDF file while dropping other malicious components of the BlackSmith toolset: a PNG image called Beautifull.jpg, three DLL files, and an encrypted file called qemus.
“The PDB path of E:FinalSmithblacksmithblacksmith indicates that developers refer to a multi-component tool set written in C++ as ‘BlackSmith’,” the researchers wrote. “This name was previously used by the TA453 POWERLESS browser hijacking module as reported by Voexity. The browser hijacking module is one of the capabilities included in the final phase of the BlackSmith malware toolset.”
The first file loaded into memory is soshi.dll and this acts as an installer for other components. It searches for toni.dll, mary.dll, and Beautifull.jpg in the current directory, and if it doesn’t exist for some reason, it tries to extract it from a hard-coded directory. The installer also decrypts the file stored inside Beautyl.jpg and saves it as videogui.exe.
The mary.dll file is a single-task loader, responsible for loading malicious payloads directly into memory, decompressing them, and executing them. The toni.dll file is responsible for checking the antivirus and other methods of avoiding detection and setting persistence by registering the service in the system.
Finally, videogui.exe is the last payload loader stored in encrypted form in the qemus executable file: a PowerShell-written trojan program that Proofpoint researchers call AnvilEcho.
TA453 used modular VBS and PowerShell scripts in the past to implement different functions, but AnvilEcho looks like an attempt to combine all those previous features into one comprehensive script containing 2200 lines of code.
AnvilEcho’s strengths lie in intelligence gathering and data analysis. The script collects a lot of information about the system, including installed antivirus products, and sends it to the command and control server along with a unique ID generated by the victim machine. It then listens for commands from the server and performs the corresponding tasks in its code.
These activities include browsing specific files on the system, taking screenshots, recording audio, stealing information from the local browser, downloading and running files, uploading files via FTP or Dropbox, and more.
“Through BlackSmith, TA453 created a complex set of tools and directed its malware operations from a separate set of individual scripts into a fully functional PowerShell trojan,” the researchers wrote.
The Proofpoint report includes indicators of compromise such as file hashes and malicious domains used by the group that security teams can use to build detections.
Source link