Threat Database Stealers AnvilEcho Infostealer

AnvilEcho Infostealer

Iranian state-sponsored threat actors have been linked to spear-phishing campaigns aimed at a prominent Jewish figure starting in late July 2024. The attackers' goal was to deploy a new intelligence-gathering tool known as AnvilEcho.

Cybersecurity researchers have identified this activity as TA453, a group also known in the cybersecurity community by various names, including APT42 (Mandiant), Charming Kitten (CrowdStrike), Damselfly (Symantec), Mint Sandstorm (Microsoft), and Yellow Garuda (PwC).

The attackers initially attempted to establish communication with the target through a harmless email to build rapport, with the intention of later convincing them to click on a threatening link.

Threat Actors Deploy Previously Unknown Malware

The attack chain aimed to deploy a new malware toolkit called BlackSmith, which in turn delivered a PowerShell Trojan known as AnvilEcho.

TA453 is believed to be linked to Iran's Islamic Revolutionary Guard Corps (IRGC), conducting targeted phishing campaigns to further the country's political and military objectives. Research data indicates that approximately 60% of APT42's geographic targeting has been directed at the U.S. and Israel, with additional targets including Iran and the U.K.

Their social engineering tactics are both relentless and convincing. The attackers impersonate legitimate organizations and journalists to engage potential victims, gradually building trust before trapping them with malware-laden documents or fake credential phishing pages.

Multi-stage Phishing and Social Engineering Chain

APT42 would initially engage their target using a social engineering tactic to arrange a video meeting, leading them to a landing page where they were prompted to log in and then directed to a phishing page. Another approach involved sending legitimate PDF attachments as part of a social engineering scheme to build trust and encourage interaction on platforms like Signal, Telegram or WhatsApp.

The most recent attacks began on July 22, 2024, with the threat actor reaching out to multiple email addresses associated with an unnamed Jewish figure. They posed as the Research Director of the Institute for the Study of War (ISW) and invited the target to participate as a guest on a podcast.

In response to the target's inquiry, TA453 is reported to have sent a password-protected DocSend URL, which led to a text file containing a link to a legitimate ISW-hosted podcast. The fraudulent emails were sent from the domain understandingthewar.org, an attempt to mimic the actual ISW website (understandingwar.org).

Researchers believe TA453's strategy was to acclimate the target to clicking on links and entering passwords, making them more likely to fall for future malware deliveries. In subsequent messages, the threat actor sent a Google Drive URL hosting a ZIP archive ('Podcast Plan-2024.zip'), which contained a Windows shortcut (LNK) file designed to deploy the BlackSmith toolkit.

AnvilEcho is a Potent Data-Harvesting Threat

AnvilEcho, delivered via the BlackSmith toolkit, is considered a likely successor to previous PowerShell implants such as CharmPower, GorjolEcho, POWERSTAR and PowerLess. BlackSmith is also designed to present a lure document as a distraction.

It's noteworthy that the name 'BlackSmith' has previously been associated with a browser stealer component identified by infosec experts earlier this year. This component was linked to a campaign distributing BASICSTAR, targeting high-profile individuals involved in Middle Eastern affairs.

AnvilEcho is a sophisticated PowerShell trojan with extensive functionality, primarily aimed at intelligence collection and data exfiltration. Its key features include system reconnaissance, taking screenshots, downloading remote files, and uploading sensitive data via FTP and Dropbox.

TA453's phishing campaigns consistently align with the intelligence priorities of the IRGC. This particular malware deployment targeting a prominent Jewish figure appears to be part of Iran's broader cyber efforts against Israeli interests. TA453 remains a persistent threat, focusing on politicians, human rights defenders, dissidents and academics.

Trending

Most Viewed

Loading...