CyberWire Daily - Podcast bait, malware switch. [Research Saturday]
Episode Date: October 5, 2024Joshua Miller from Proofpoint is discussing their work on "Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset." Proofpoint identified Ir...anian threat actor TA453 targeting a prominent Jewish figure with a fake podcast interview invitation, using a benign email to build trust before sending a malicious link. The attack attempted to deliver new malware called BlackSmith, containing a PowerShell trojan dubbed AnvilEcho, designed for intelligence gathering and exfiltration. This malware consolidates all of TA453's known capabilities into a single script rather than the previously used modular approach. The research can be found here: Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you i was concerned about my data being sold by data brokers so i decided to try delete me i have
to say delete me is a game changer within days of signing up they started removing my personal
information from hundreds of data brokers i finally have peace of mind knowing my data privacy
is protected delete me's team does all the work for you with detailed reports so you know exactly Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities, solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
As we hunt for espionage threats in our data,
one of the things we look at is different lures that we see them use over and over.
And so specifically for TA453, we've seen them use the approach of
being a podcast host before, as well as just a benign conversation to different targets.
That's Joshua Miller, threat researcher at Proofpoint. The research we're discussing
today is titled Best Laid Plans. TA453 targets religious figure with fake podcast
invite delivering new blacksmith malware tool set. And so that's what really brought this to our attention was this banan conversation that sort of looks suspicious.
of looks suspicious and obviously pretending to be the Institute for the Study of War is not necessarily something that a cyber criminal or financially motivated threat actor would
do, but definitely leans more towards the espionage side of things.
Well, before we dig into some of the details here of the actual campaign, what do we know
about this Iranian threat actor?
Yeah, so TA-453, they're also known as Mint Sandstorm, Yellow Garuda,
previously Phosphorus, but probably most well known as Charming Kitten.
They are an Iranian group that we believe supports the IRGC intelligence objectives
and does that through a variety of both credential phishing as well as delivering malware
and also that benign conversation that I mentioned.
Well, let's dig in here.
I mean, I think one of the things at the outset that makes this a little different from most campaigns is,
if I have my information correct, they were targeting a single individual.
Right, and that's one of the key things that we see with this group is a very targeted attack.
So they put in a lot of effort into these campaigns or these approaches, if you will.
And they backstop them. They make them look authentic.
In this case, they target both the individual at their personal email address and their organizational email address.
So sort of establishes that consistency and put a lot of effort into
targeting to our visibility as a single individual. Well, what was the initial contact here? What did
it look like? So the initial post was basically, hey, I'm hosting a podcast about exploring Jewish
life in the Muslim world and would like to invite you to be a guest. They talk about and sort of
and would like to invite you to be a guest.
They talk about and sort of compliment the individual on their expertise and believe the contributions.
Additionally, they mention doing like a Zoom link
and then basically sort of say, hey, we're super flexible.
Just let us know what works for you.
So really put it on the individual to sort of, they compliment them, they're super
easygoing to build that rapport, and are super approachable, I think, to engage the individual
and get that engagement back. So in this initial contact, is there anything that stands out as
being malware? No, and that's really what was interesting in this one.
And then even initially,
after the Benign Conversation was going back and forth,
they sent a link to a file sharing website
called Dropbox.send.
And in that, they sent a password-protected text file.
So they sort of, I think, in my opinion,
were trying to make sure that the
individual believed the persona. The attachment that they first sent was not malicious. It was
just a link to the podcast that they were spoofing. But they got visibility of whether or not the
individual would click on a link, enter a password, and download a file sent to them by
this Iranian-controlled persona
before sending anything actually malicious.
So kind of conditioning the potential victim here to just get used to doing certain things.
Absolutely. And I think that really shows that they...
I think that absolutely shows that TA TA453 cares about being detected.
The industry has done a lot of good work promoting and identifying these campaigns.
And so they're really working hard to make sure that they are not detected
in these initial conversations that aren't necessarily malicious.
So this back and forth goes on as they're establishing rapport.
Take us down the path. At what point does it start to become problematic?
Yeah. So eventually they said that the project's just recently started and they have a plan. And
so they say, hey, here's this file, click on this link, and you can download the podcast plan 2024.
This sort of, I think, is to build on the target's desire to be part of this plan
and sort of want to be part of the process.
And that zip file, which was hosted on a file sharing website as well,
contained an LNK, also titled Podcast Plan 2024.
And that LNK is also titled Podcast Plan 2024.
And that LNK is what ended up delivering the Blacksmith toolset,
which is the malware that we wrote about.
So that malware has been delivered now.
What are the capabilities that it has?
Yeah, so basically the Blacksmith toolset,
and that's a name given to it by the actor, TA453.
It has a decoy PDF.
It has a bunch of DLLs to look for different security settings and then also establish persistence.
And then it eventually loads what we call the Anvil Echo,
which was the PowerShell Trojan.
And that was the final stage.
And that was around 2,200 lines of PowerShell Trojan, and that was the final stage. And that was around 2,200 lines of PowerShell that had a bunch of different capabilities.
Can we dig into some of those capabilities?
I mean, what's the spectrum of things it's able to do here?
Yeah, absolutely.
So historically, Tier 453 Trojans or remote access tools have things like screenshots exfiltration and that
sort of thing and we see that all with this invo echo as well we see screenshot capability we see
the capability to capture multiple screens so if someone is using multiple monitors we see
also sound capabilities so being able to record possibly try to use the microphone of the computer.
We also see exfiltration and command and control, meaning that they could send commands of the encoding and the lifecycle, the health checks that Trojan was doing semi-automatically.
We'll be right back.
We'll be right back. checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you
get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one
third of new members discover they've already been breached. Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
What do we know about the command and control here? Any details to share when it comes to that?
Yeah, so Wosishen, they use a domain called deepspaceocean.info for command and control here any details to share when it comes to that yeah so what position they use
the a domain called deepspaceocean.info for command and control throughout the script um they had a
machine id that was created i think one of the things was interesting as we looked at this just
slightly off topic but the machine id was computed in in an unnecessarily complicated manner.
It created two random 32-character strings, alphanumeric,
and then concatenates them.
And then after that, it takes the value and takes the SHA-256 hash of those two strings
and then takes the first 16 characters from that hash
and then adds it to those original two strings.
So that is the machine ID. I've never seen a machine ID that's calculated that in such a complicated way.
And honestly, I don't know why they did it that way. But as far as other capabilities,
we saw two different functions. We saw redo it, which is a function, and then we saw do it.
two different functions. We saw redoit, which is a function, and then we saw doit.
And basically, redoit served as like an orchestration
or management for the PowerShell. So it was able to process commands that it received from that C2, and then
also directed the doit function.
So redoit directed the doit function to do things like
upload files, get web information from browsers.
They had Dropbox and FTP support, and then also allowed for the configuration updates.
So this implant was designed to allow for further configuration updates for, I would assume, long-term persistence.
Well, I mean, let's talk about that persistence then.
I mean, what is it doing to make sure that once it gets its grip,
it's able to stay there?
Yeah, so basically what this first does is one of the DLs
that's initially dropped for the LNK,
one of the DLs that's initially dropped for the LNK,
it will
write it to the install folder
and write it as a service.
And then
after it does that as persistence,
it then looks for any
antivirus and then
sort of does something I thought was interesting,
which it rewrites the
entry point of AMC's
scan buffer so that when it's called, it returns an invalid argument.
So that's a way for them to bypass some antivirus software.
Now, that is interesting.
I mean, in general, how stealthy is it?
Does it do a good job of flying under the radar?
I think that's one of the really interesting things
when you talk about malware.
Do you want to have a lightweight toolset
that you just download additional capabilities
from whatever command and control
and it provides the opportunity for detection
along the network?
Or do you have one huge piece of malware
that then doesn't have to do anything additional
on the network besides sending out information? In this case, they decided to do the latter and have a large set
of malware that was previously different module sets and sort of incorporate everything into one.
I don't know if that's more stealthy than having a more lightweight piece of malware. I think the
idea makes sense in some ways,
and I think it just demonstrates that they are iterating
and trying to avoid detection.
So they're not like some actors who don't mind if they get detected
or continue on anyways.
I think this is just the next stage in their development of their malware
to understand where the malware is going to go.
And this is just the next stage that they're trying.
And they might continue on this if they found success.
And they might decide that they're not.
And I think going back to something you said earlier about how we saw this as a single
target, I have no doubt that this was used in other instances as well.
We just saw it saw a single one.
So my guess is if they're having success at other targets,
they may not iterate more.
Or after this bug, they might say,
hey, this capability has been burned.
Let's move and change our malware again to avoid that detection.
At what point was there any indication that this individual had a problem here?
Was there anything that kind of tripped off the alarms?
Yeah, so when we detected this,
we worked really hard with the organization
and our customer to alert the customer
and then also the customer then alerted their employee.
So we believe that we were able to block it before there was any actual infection.
Yeah, we'll just leave it at that.
Okay.
So how do you rate the sophistication of this group and this particular bit of malware?
Yeah, so I think that this group is definitely one of the more persistent groups.
They're not necessarily using zero days or things that are just completely unheard of as far as sophistication, but they are persistent.
They are really talented at doing what they're doing with that benign conversation and those um that infrastructure so what i mean by that is um the actual lure that they used was understanding the war.org which the actual email or sorry the
actual web domain is understanding war.org so they just added a the and i think if most people
receive that in their inbox they wouldn't necessarily think twice before responding.
And I think that's where the sophistication of Charm and Kitting really comes in, is that they're able to do that social engineering in a really unique way that is really convincing.
Yeah, it also strikes me that they're using flattery. They're referring to their target as an expert,
which they may very well be,
but that's a great way to get on somebody's good side.
Absolutely.
And I think that they really work hard
to build connections with people.
What are your recommendations then?
For folks to best protect themselves
against this sort of thing?
So it's a great question.
I think a big thing to do would be make sure that you're actually emailing the people you think you are.
Don't rely on Gmail, Yahoo, ProtonMail, but verify that you're actually emailing the email address you believe you're talking to.
Because that's how a lot of these lures or email fraud happens.
Additionally, I think just being very wary of clicking anything, any links, opening any
attachments from people you haven't talked with or met with before is always good advice. And I
think lastly, it's just if you are aware of an account that's been compromised or is using this sort of information, make sure to share that information.
Share it with people in the community.
A lot of times we'll see people who are being spoofed.
We'll put something on their personal website saying, hey, if you receive an email, it's not me.
They'll tweet about it.
And just sharing the information of, hey, this account is false, then means that they have to go to different infrastructure and sort of retool.
And I think that community defense is a huge piece of this.
Our thanks to Joshua Miller from Proofpoint for joining us.
The research is titled Best Laid Plans.
TI-453 targets religious figure with fake podcast invite delivering new blacksmith malware tool set.
We'll have a link in the show notes.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your team smarter.
Learn how at N2K.com.
This episode was produced by Liz Stokes. We're
mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Iben. Our executive
editor is Brandon Karp. Simone Petrella is our president. Peter Kilpie is our publisher. And
I'm Dave Bittner. Thanks for listening. We'll see you back here next time.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.