Prominent Jewish rabbi targeted by Iranian phishers masquerading as podcasters


Iranian threat actor TA453, known for going to great lengths in its spear-phishing campaigns, recently attempted to target a well-known religious figure in Israel. They set up a trap by inviting the rabbi to join a podcast about “Jewish life in the Muslim world.”

Proofpoint researchers have identified a new campaign by the threat actor, tracked by different names, such as TA453, APT42, Charming Kitten, Yellow Garuda, or ITG18.

The hackers were armed with a new malware toolkit called BlackSmith, which delivers a PowerShell trojan dubbed AnvilEcho.

They attempted to lure the Jewish rabbi with a benign email on July 22nd, 2024. Posing as a podcast host and the Research Director for the Institute for the Study of War (ISW), they tried to build a conversation and trust.

To appear legitimate, the malicious actors created a deceptive site with the name understandingthewar[.]org. However, their ultimate goal was to lure the target to click on a malicious link.

fake-email

“After receiving a response from the target, TA453 replied with a DocSend (a service for secure document sharing) URL. The DocSend URL was password protected and led to a text file that contained a URL to the legitimate ISW Podcast being impersonated by TA453,” Proofpoint’s report reads.

TA453 attempted to normalize clicking a link and entering a password so the target would do the same when they delivered malware.

After a few exchanges, TA453 replied with a Google Drive URL leading to a ZIP archive named “Podcast Plan-2024.zip.” The ZIP contained an LNK file titled “Podcast Plan 2024.lnk”. An LNK is a shortcut file that usually points to other files or programs. In this case, the LNK was hidden behind a decoy PDF as an overlay, and it smuggled additional files that delivered the BlackSmith toolset, which eventually loaded TA453’s AnvilEcho Powershell Trojan.

“They continue to attempt to evade detections by convoluting the infection chain in order to limit and avoid detection opportunities while collecting intelligence,” researchers said.

They noted that the threat actor bundled an entire framework into a single malicious PowerShell rather than deploying each module separately.

TA453’s malware contains multiple functions with a clear focus on intelligence collection and exfiltration. The code suggests that the actor has previously used legitimate services, such as Dropbox, for exfiltration.

“These efforts likely support intelligence collection in support of Iranian government interests,” Proofpoint said.

TA453 became known as a master of disguise, having multiple personalities, as it uses many different social engineering techniques to try and convince targets to engage with malicious content. Previously, they were observed impersonating journalists.

“Sending legitimate links to a target and referencing a real podcast from the spoofed organization can build user trust. When a threat actor builds a connection with a target over time before delivering the malicious payload, it increases the likelihood of exploitation,” Proofpoint researchers warn.

TA453 has also created a sophisticated intelligence collection toolkit to back its spear-phishing efforts.