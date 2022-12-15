TA435 now employs more aggressive tactics, including the use of real email accounts, conflicting malware and decoys to gain access to key accounts. The threat actor targets high profile and high security accounts for cyber espionage purposes.

Who is TA453?

TA453 is an Iranian state-sponsored cyber espionage actor. According point of proof.

TA453 overlaps with the Charming Kitten, Phosphorus, and APT42 cyber espionage groups.

Their preferred method of approaching and attacking their targets is to use web beacons in emails before possibly attempting to harvest targets’ credentials. They also exploit multi-persona spoofing, which is a social engineering trick using two spoofed accounts controlled by the attackers to talk in a single chat thread with the victim. The multiple characters try to convince the target of the legitimacy of the operation.

Proofpoint currently tracks six TA453 subgroups, which are categorized by victimology, infrastructure, and tactics, techniques, and procedures.

Researchers assess that TA453 generally works for Iran’s Islamic Revolutionary Guard Corps intelligence operation, based on research by PwC and the Department of Justice in a 2018 charge in addition to one TA453 targeting analysis in relation to the reported activities of the IRGC-IO.

The most aggressive activity could represent collaboration with another branch of the Iranian state, including the IRGC’s Al-Quds Force,” Proofpoint said.

A change in TA453 methods

Email accounts used to reach targets

The use of email accounts created by the attacker is sometimes abandoned by threat actors in favor of using genuine compromised accounts. This has the effect of making their content more legitimate, as it comes from a known email address rather than an unknown address.

This method is used by a subgroup of the threat actor TA453 and combined with the use of unusual URL shorteners like bnt2[.]live or nco2[.]Direct. Proofpoint says that in 2021, a US press officer was reached by TA453 using a local reporter’s email address.

Use of malware

GhostEcho malware, a lightweight PowerShell backdoor in development capable of running additional modules and communicating with an attacker-controlled C2 server, was used to target various diplomatic missions in Tehran in 2021 to target defenders women’s rights in the country. The payload was not available to researchers when it was discovered.

Confrontation Decoys

Samantha Wolf is a character created by TA453 used in divisive social engineering lures. The goal is to instill fear and uncertainty in the targets so that they respond to the emails sent by the attackers.

Samantha Wolf has used general complaints and car accidents among other themes, targeting US and European politicians and government entities (Figure A).

Figure A

Documents sent by Samantha Wolf contained remote pattern injection to download malicious files, resulting in GhostEcho infection. The method the attackers used was to replace the user’s previous default Microsoft Word template.

More aggressive activity

In May 2022, Proofpoint discovered an attack targeting a senior military official with multiple compromised email accounts. The targeted individual was a former member of the Israeli army. As mentioned earlier, using multiple compromised email accounts for such an attack is unusual for TA453.

The aggressive message was written in Hebrew (Figure B) and used the person’s first name in the file name.

Figure B

The text roughly translates to: I’m sure you remember when I told you that every email you get from your friends might be me and not who they say they are. We follow you like your shadow in Tel-Aviv, in [redacted university], Dubai, Bahrain. Take care of yourself.

According to Proofpoint, this intimidation tactic also indicates collaboration between TA453 and hostile Iranian state-aligned operations.

An overlap in the infrastructure linking this case and another also adds legitimacy to the research conclusion. In May 2022, an Israeli researcher received an email from a spoofed email address of a reputable academic inviting the target to a conference in order to kidnap her.

TA453’s aberrant operations showed a steady state of evolution in its TTP, with possible support for hostile or even kinetic operations.

Previously known TA435 modus operandi

TA453 generally approaches its targets with email accounts they create and begins to establish contact with their targets through benign conversation, although some of its subgroups can directly reach the target with a collection link credentials. Regardless of the duration of the exchange, the goal is always to gain access to the target’s email via a phishing link.

This technique suggests that the attacker’s primary interest lies in reading the content of the target’s emails, rather than trying to infect their computer with malware to gain access to files and folders. This is also more stealthy, as it usually does not trigger alarms from security productions. Phishing pages hosted on the infrastructure are never widely distributed and therefore under-reported.

How to protect yourself from this threat

Users should be careful when opening email content, even if it is from a verified and trusted email address, which could be compromised.

The content of the e-mail should alert the reader: pay attention to forms that have not been used before by the author, spelling mistakes, language or diction changes and other indications that the email is wrong. If in doubt, users should verify the legitimacy of the email by contacting the sender through another channel.

Users should also always check conference invitations and contact the organizers directly through their official website. Users should never click on suspicious links. Instead, report the link to IT or CERT/SOC teams for investigation, as it may be a phishing attempt.

Disclosure: I work for Trend Micro, but the opinions expressed in this article are my own.