A known Iranian APT group has revamped its malware arsenal in a campaign against a prominent Jewish religious figure, security researchers have found. The new toolset, dubbed BlackSmith, bundles most features from the group’s previous tools with a new malware loader and PowerShell-based trojan, and it is likely being used as part of a larger cyberespionage campaign aimed at Israeli and US targets.

The group, tracked as TA453 by security researchers from Proofpoint, is also known in the security industry as Mint Sandstorm, APT42, Yellow Garuda, or Charming Kitten, and it is believed to be associated with the Islamic Revolutionary Guard Corps, the main branch of the Iranian Armed Forces.

“While Proofpoint analysts cannot link TA453 directly to individual members of the Islamic Revolutionary Guard Corps (IRGC), Proofpoint does continue to assess that TA453 operates in support of the IRGC, specifically the IRGC Intelligence Organization (IRGC-IO),” the email and data security firm’s researchers wrote in a report on the BlackSmith toolkit.

Researchers from Google’s Threat Analysis Group (TAG) recently reported an APT42 campaign targeting Israeli military, defense, diplomats, academics, and civil society members. TAG also confirmed that earlier this year APT42 targeted individuals affiliated with President Biden and former President Trump.

This month, Trump presidential campaign officials confirmed that hackers obtained sensitive data from the organization as a result of a successful phishing campaign. The US intelligence community has officially attributed that attack to Iran and warned this week that the campaigns of both political parties have been targeted.

APT42 uses sophisticated spear-phishing techniques that involve impersonating multiple organizations and individuals that are known or of interest to their victims. Instead of delivering a malicious payload right away, the attackers strike longer conversations with their targets first to build rapport and gain trust. Sometimes this involves impersonating more than one person, such as known experts or scholars, as part of a single email thread to build legitimacy.

Fake podcast invitation

In the attack intercepted by Proofpoint, which started at the end of July, TA453 impersonated the research director of the Institute for the Study of War (ISW), a well-known think tank and research organization that specializes in analyzing armed conflicts. The target, a prominent Jewish figure, was approached with an invitation to appear as a guest on ISW’s podcast.

After the victim replied, the attackers followed up with an URL to DocSend, a document sharing service, that was password protected and hosted a .txt file. The file was benign and simply contained a link to the legitimate ISW podcast. Proofpoint’s researchers believe that by using this approach, the attackers intended to normalize clicking on an URL, entering a password and opening a file for the victim, so they would feel safe doing the same in the future when the real malicious payload was delivered.

After another response from the victim accepting the invitation to participate in the podcast, the attackers sent another email with an URL to a password-protected ZIP archive hosted on Google Drive that they presented as a contract and the podcast session plan.

BlackSmith infection chain leads to new trojan AnvilEcho

This archive, named “Podcast Plan-2024.zip” contained a LNK (Windows shortcut) file that when clicked on, opened a decoy PDF file while also dropping other malicious components of the BlackSmith toolset: a PNG image called Beautifull.jpg, three DLL files, and an encrypted file called qemus.

“A PDB path of E:FinalStealerblacksmithblacksmith indicates the developers referred to the multi-component toolset written in C++ as ‘BlackSmith’,” the researchers wrote. “This name was previously used by the TA453 POWERLESS browser stealer module as reported by Volexity. The browser stealer module is one of the capabilities included in the final stage of BlackSmith malware toolset.”

The first file loaded in memory is soshi.dll and this serves as an installer for the other components. It searches for toni.dll, mary.dll, and Beautifull.jpg in the current directory, and if they are not present for some reason, it attempts to download them from a hard-coded domain. The installer also decrypts a file stored inside Beautifull.jpg and saves it as videogui.exe.

The mary.dll file is a loader that has only one function, which is responsible for loading malicious payloads directly in memory, decrypting them, and executing them. The toni.dll file is responsible for performing antivirus checks and other detection evasion routines and to set up persistence by registering a service on the system.

Finally, the videogui.exe is a loader for the final payload that’s stored in encrypted form in the originally dropped qemus file: a trojan program written in PowerShell that the Proofpoint researchers dubbed AnvilEcho.

TA453 used individual modular VBS and PowerShell scripts in the past to implement different functionalities, but AnvilEcho looks like an attempt to bundle all those prior features into a single extensive script that contains 2200 lines of code.

AnvilEcho capabilities are focused on intelligence collection and data exfiltration. The script gathers extensive information about the system, including the antivirus products installed, and sends it to the command-and-control server along with a unique ID generated for the victim machine. It then listens for commands from the server and executes corresponding functions from its code.

These functions include looking for specific files on the system, taking screenshots, recording sound, stealing information from the local browser, downloading and executing files, uploading files via FTP or Dropbox, and more.

“With BlackSmith, TA453 has created a sophisticated intelligence collection toolkit and streamlined its malware functions from a disparate set of individual scripts into a full-service PowerShell trojan,” the researchers wrote.

The Proofpoint report includes indicators of compromise such as file hashes and malicious domains used by the group that can be used by security teams to build detections.