Iranian state-backed hackers are using a novel intelligence-gathering tool called AnvilEcho to target a prominent Jewish leader.
Security firm Proofpoint discovered the campaign, which began in late July 2024 and is linked to a group known as TA453 (also tracked as APT42, Charming Kitten, and other names). TA453 is believed to be affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC) and targets individuals aligned with Iranian political and military adversaries.
Deceptive Tactics Lure Victim
The attack used elaborate social engineering tactics. Hackers impersonated a Research Director at the Institute for the Study of War (ISW) and contacted the target via email, inviting them to participate in a podcast.
The initial email likely contained a benign attachment to build trust, followed by a password-protected DocSend link leading to a text file with a legitimate ISW podcast URL. This elaborate setup aimed to normalize clicking links and entering passwords for the victim.
Later emails included a Google Drive link containing a ZIP archive ("Podcast Plan-2024.zip"). This archive, however, contained a malicious Windows shortcut (LNK) file that delivered the BlackSmith toolset. BlackSmith, in turn, deployed AnvilEcho.
AnvilEcho: A Multifaceted Espionage Tool
AnvilEcho is a powerful PowerShell trojan designed for extensive intelligence gathering. It can:
Conduct system reconnaissance
Capture screenshots
Download remote files
Exfiltrate sensitive data through FTP and Dropbox
Iranian Targeting Priorities
Proofpoint researchers believe this attack aligns with TA453's history of targeting individuals critical of Iranian interests, including politicians, human rights defenders, and academics. The specific targeting of a Jewish leader suggests the attack may support broader Iranian cyber efforts against Israel.
The Importance of Vigilance
This incident highlights the sophisticated tactics employed by Iranian cyber actors. Organizations and individuals should remain vigilant against social engineering attempts, be cautious of unsolicited emails, and avoid clicking suspicious links or downloading unknown attachments.
Comments