Malware, Phishing, Threat Intelligence

Attack campaign with new AnvilEcho malware launched by Iranian hackers

Share
Technology background with national flag of Iran. 3D rendering

New AnvilEcho PowerShell trojan distribution has been sought by Iranian state-backed threat operation TA453 — also known as APT42, Damselfly, Charming Kitten, Yellow Garuda, and Mint Sandstorm — in a spear phishing attack campaign against a major Jewish personality that commenced late last month, The Hacker News reports.

After impersonating the Institute for the Study of War research director in phishing emails purporting to invite the Jewish figure to a podcast guesting, TA453 sent follow-up messages with a password-protected DocSend URL and a Google Drive URL with a ZIP archive, according to an analysis from Proofpoint. Such ZIP archive had an LNK file deploying the BlackSmith toolset, which then executes the AnvilEcho malware with intelligence gathering and exfiltration capabilities, including system reconnaissance, remote file downloading, screenshot capturing, and data uploading, the report showed. "This malware deployment attempting to target a prominent Jewish figure likely supports ongoing Iranian cyber efforts against Israeli interests. TA453 is doggedly consistent as a persistent threat against politicians, human rights defenders, dissidents, and academics," said Proofpoint researcher Joshua Miller.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.