Threats Feed|TA453|Last Updated 02/10/2024|AuthorCertfa Radar|Publish Date20/08/2024

TA453 Targets Jewish Religious Leader with Sophisticated BlackSmith Malware

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Malware,Phishing
  • Attack Complexity: Medium
  • Threat Risk: High Impact/High Probability

Threat Overview

Iranian threat actor TA453 targeted a prominent Jewish religious figure with a fake podcast invitation, delivering the new BlackSmith malware toolkit. The attack leveraged spearphishing links and malicious LNK files to deploy the AnvilEcho PowerShell trojan. AnvilEcho consolidates TA453’s previous malware capabilities into a single script, facilitating intelligence gathering and system reconnaissance. The malware evades detection through obfuscation, steganography, and encrypted communications with TA453-controlled infrastructure. The operation, aligned with Iranian government interests, highlights TA453’s evolving tactics to support espionage.

Reference and Credit: Proofpoint - August 2024

Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset

Detected Targets

TypeDescriptionConfidence
CaseInstitute for the Study of War (ISW)
The Institute for the Study of War is an American nonprofit research group and think tank founded in 2007 by military historian Kimberly Kagan and headquartered in Washington, D.C. ISW provides research and analysis regarding issues of defense and foreign affairs. Institute for the Study of War (ISW) has been targeted by TA453 with abusive purposes.
Verified
SectorReligious
Verified
RegionIsrael
Verified

Extracted IOCs

  • d75[.]site
  • deepspaceocean[.]info
  • theworkpc[.]com
  • understandingthewar[.]org
  • dropzilla.theworkpc[.]com
  • 258d9d67e14506b70359daabebd41978c7699d6ce75533955736cdd2b8192c1a
  • 574fc53ba2e9684938d87fc486392568f8db0b92fb15028e441ffe26c920b4c5
  • 5aee738121093866404827e1db43c8e1a7882291afedfe90314ec90b198afb36
  • 5dca88f08b586a51677ff6d900234a1568f4474bbbfef258d59d73ca4532dcaf
  • 8a47fd166059e7e3c0c1740ea8997205f9e12fc87b1ffe064d0ed4b0bf7c2ce1
  • d033db88065bd4f548ed13287021ac899d8c3215ebc46fdd33f46a671bba731c
  • dc5c963f1428db051ff7aa4d43967a4087f9540a9d331dea616ca5013c6d67ce
  • dcb072061defd12f12deb659c66f40473a76d51c911040b8109ba32bb36504e3
  • 54[.]39.143.117
  • 54[.]39.143.120
download

Tip: 15 related IOCs (2 IP, 5 domain, 0 URL, 0 email, 8 file hash) to this threat have been found.

Overlaps

APT42APT42 Targets Israeli and U.S. High-Profile Sectors with Sophisticated Phishing Campaigns

Source: Google - August 2024

Detection (one case): understandingthewar[.]org

APT42APT42: Iranian Cyber Espionage Campaign Targets Global NGO and Media Sectors

Source: Google Cloud - May 2024

Detection (one case): d75[.]site

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
TA453
View TA453's Insights