One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8560720 |
| Date de publication | 2024-08-20 05:00:25 (vue: 2024-08-20 09:17:29) |
| Titre | Meilleurs plans posés: TA453 cible la figure religieuse avec un faux podcast invite livrant un nouvel ensemble d'outils de logiciel malveillant forgeron Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset |
| Texte | Key findings Proofpoint identified Iranian threat actor TA453 targeting a prominent religious figure with a fake podcast interview invitation. The initial interaction attempted to lure the target to engage with a benign email to build conversation and trust to then subsequently click on a follow-up malicious link. The attack chain attempted to deliver a new malware toolkit called BlackSmith, which delivered a PowerShell trojan dubbed AnvilEcho by Proofpoint. The malware, which uses encryption and network communication techniques similar to previously observed TA453 samples, is designed to enable intelligence gathering and exfiltration. AnvilEcho contains all of TA453\'s previously identified malware capabilities in a single PowerShell script rather than the modular approach previously observed. Overview Starting 22 July 2024, TA453 contacted multiple email addresses for a prominent Jewish figure while pretending to be the Research Director for the Institute for the Study of War (ISW). The lure purported to invite the target to be a guest on a podcast hosted by ISW. After receiving a response from the target (outside of Proofpoint visibility), TA453 replied with a DocSend URL. The DocSend URL was password protected and led to a text file that contained a URL to the legitimate ISW Podcast being impersonated by TA453. It is likely that TA453 was attempting to normalize the target clicking a link and entering a password so the target would do the same when they delivered malware. Initial July 2024 approach from TA453. DocSend contents containing the podcast themed text. Proofpoint first observed TA453 spoofing the Institute for the Study of War (ISW) in phishing campaigns targeting other organizations starting in February 2024, almost immediately after registering the domain in late January 2024. The theme of spoofing is consistent with broader TA453 phishing activity reported by Google Threat Intelligence Group in August 2024 TA453 initially sent the fake podcast invitation to the religious figure at multiple email accounts, specifically both the target\'s organizational email address along with their personal email address. Phishing multiple email addresses associated with a target has been observed by a number of state aligned threats, including TA427. TA453 continued to establish their legitimacy by sending emails from understandingthewar[.]org and including a TA453 controlled Hotmail account in the email signature. After another reply from the target, TA453 replied with a GoogleDrive URL leading to a ZIP archive named “Podcast Plan-2024.zip”. The ZIP contained an LNK titled “Podcast Plan 2024.lnk”. The LNK delivered the BlackSmith toolset which eventually loaded TA453\'s AnvilEcho Powershell Trojan. Fake podcast invitation containing a malicious URL. Malware analysis Old habits die screaming, and TA453 sticks to its habits. Our analysis of the malware from this TA453 campaign demonstrates the developers working for TA453 have not given up on using modular PowerShell backdoors. They continue to attempt to evade detections by convoluting the infection chain in order to limit and avoid detection opportunities while collecting intelligence. The toolset observed in this infection chain is likely the successor of GorjolEcho/PowerStar, TAMECURL, MischiefTut, and CharmPower. The first TA453 backdoor was detected by Proofpoint in Fall 2021. Rather than deploy each Powershell module separately, TA453 attempts to bundle the entire framework into a single large PowerShell script dubbed AnvilEcho by Proofpoint. Timeline of TA453 malware. Infection chain The LNK is used to smuggle additional files. It hides behind a decoy PDF as an overlay and extracts the contents of the ZIP folder to %TEMP%. The ZIP folder contains Beautifull.jpg, mary.dll, qemus (the encrypted AnvilEcho PowerShell script), soshi.dll, and toni.dll. A PDB path of E:\FinalS |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | $env:public $global:sacpath 01 04 08 117 120 143 18 2021 2022 2023 2024 2024 2055244 2055245 2055246 2055247 22 2200 258d9d67e14506b70359daabebd41978c7699d6ce75533955736cdd2b8192c1a 574fc53ba2e9684938d87fc486392568f8db0b92fb15028e441ffe26c920b4c5 5aee738121093866404827e1db43c8e1a7882291afedfe90314ec90b198afb36 5dca88f08b586a51677ff6d900234a1568f4474bbbfef258d59d73ca4532dcaf 7zip 8a47fd166059e7e3c0c1740ea8997205f9e12fc87b1ffe064d0ed4b0bf7c2ce1 accept access account accounts across activity actor actors addition additional additionally address addresses aes aes/ecb affiliated after afterwards again aid aligned all allows almost along alphanumeric already also amsi amsiscanbuffer analysis analysis analysts analyzed another antivirus anvilecho applause approach apt42 archive are argument assess assessment assigned associated attack attempt attempted attempting attempts attribution august available avoid backdoor backdoors base64 based bears beautifull been before beginning behind being benign best between bitmap blacksmith both broader browser browser build builds bundle bypass c++ c2 calculates called campaign campaigns can cannot capabilities capability cases certain certificate certificates chain chain character characters charming charmpower check checks chunking clear click clicking code cohosted collecting collection collects com command command commands commented communication compared compilation complicated component compromise computed computername concatenated concatenates conduct conducts config connection connectivity considered consistent consists contacted contained containing contains content contents continue continued continuously control controlled conversation converts convince convoluting copied copying corps created creates creating currently d033db88065bd4f548ed13287021ac899d8c3215ebc46fdd33f46a671bba731c d75 dc5c963f1428db051ff7aa4d43967a4087f9540a9d331dea616ca5013c6d67ce dcb072061defd12f12deb659c66f40473a76d51c911040b8109ba32bb36504e3 decodes decoy decrypted decryption decrypts deepspaceocean deliver delivered delivering demonstrated demonstrates department deploy description design designed detected detection detections developers die different diplomatic directive directly director directories directory disparate displayed disruption dll dll dns docsend does domain domain done download download downloaded downloading dropbox dropzilla dubbed each earlier efforts either email emails embassies emerging enable encode encoded encodes encrypt encrypted encryption end engage engineering entering entire entities entry equivalent error establish etweventwrite evade eventually evidence exe executes exfiltrate exfiltration exfunc exist expand exploitation extends extensive extracts fake fall february fetches figure file files final finally finalstealer findings first focus folder follow followed force forcing formerly found framework from fromencrypt ftp full function function functionality functions further garuda gather gathering generally generated get given google googledrive gorjolecho/powerstar government group guard guest habits handl64 handle handles handling hardcoded has hash have heavily helper hidden hides higher historical host hosted hotmail identified immediately impersonated impersonation improved include included includes including increases indicate indicates indicator indicators indictment individual industry infection info info information infrastructure initial initially inside install installation installationpath installed installer institute intelligence intellisense interaction interests interview invalid invitation invite iranian irgc islamic isw its january jewish jpg jpg july justice key kitten klg laid large late launches leading led legitimacy legitimate length level library like likelihood likely limit lines link links list lnk lnk lnk” loaded loader loads l |
| Tags | Malware Threat Studies |
| Stories | APT 35 APT 42 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.