Analysis Summary

AnvilEcho is a new intelligence-gathering tool that Iranian state-sponsored threat actor Charming Kitten has been seen deploying through spear-phishing attempts aimed at a well-known religious figure since late July 2024.

Under the codename TA453, cybersecurity researchers are tracking this activity, also known under the names APT42, Charming Kitten, Damselfly, Mint Sandstorm, and Yellow Garuda. The goal of the first exchange was to convince the target to reply to a harmless email to establish rapport and trust before clicking on a malicious link in the follow-up. The attack chain aimed to distribute a PowerShell trojan known as AnvilEcho together with a new malware toolkit named BlackSmith.

Based on the assessment, Charming Kitten is associated with the Islamic Revolutionary Guard Corps (IRGC) in Iran, engaging in focused phishing operations aimed at advancing the nation's military and political objectives. Roughly 60% of Charming Kitten's known geographic targeting was in the United States and Israel, followed by Iran and the United Kingdom, according to data released by Google-owned Mandiant.

Persistent and convincing, the social engineering techniques pose as journalists and legitimate organizations to establish rapport with potential victims and gradually ensnare them in their phishing traps through documents tainted with malware or fake websites that harvest credentials. To arrange a video meeting, Charming Kitten would entice its victim through social engineering. After that, the target would be directed to a landing page where they would be asked to log in and be taken to a phishing website.

In the most recent round of attacks, which researchers began to notice on July 22, 2024, the threat actor pretended to be the Research Director at the Institute for the Study of War (ISW) and sent emails to several addresses belonging to an anonymous Jewish person, inviting them to be a guest on a podcast. Charming Kitten is purported to have replied to a message from the target by sending a password-protected DocSend URL, which then led to a text file with a URL to the official podcast hosted by ISW. The fake communications were an attempt to imitate the ISW website ("understandingwar[.]org"), as they were sent from the domain understandingthewar[.]org.

It's possible that Charming Kitten tried to get the victim to visit a link and input a password to normalize the target's behavior when delivering malware. The threat actor was discovered to have responded to follow-up communications with a Google Drive URL that hosted a ZIP package ("Podcast Plan-2024.zip"), which in turn contained a Windows shortcut (LNK) file that was in charge of distributing the BlackSmith toolkit.

It has been said that AnvilEcho, which is provided by BlackSmith, is most likely the PowerShell implant that will replace CharmPower, GorjolEcho, POWERSTAR, and PowerLess. In addition, BlackSmith is made to show a bait document as a diversionary tool. It is noteworthy that the term "BlackSmith" also corresponds with a browser stealer element that researchers disclosed earlier this year concerning a campaign that disseminated BASICSTAR in attacks targeted at prominent figures involved in Middle Eastern politics.

The PowerShell trojan AnvilEcho has a lot of features. The capabilities of AnvilEcho point to a distinct emphasis on gathering and smuggling intelligence. It can be used to perform system reconnaissance, take screenshots, download files from remote locations, and upload private files via Dropbox and FTP, among other crucial tasks. This attempt at a targeted malware deployment against a well-known Jewish individual most certainly bolsters existing Iranian cyber operations directed at Israeli targets. As a steadfast menace to academics, politicians, human rights advocates, and dissidents, Charming Kitten remains consistent.

Impact

• Cyber Espionage
• Credential Theft
• Sensitive Data Theft

Indicators of Compromise

Domain Name

• understandingthewar.org
• d75.site
• deepspaceocean.info

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Disseminate information regarding the tactics, techniques, and procedures (TTPs) used by the APT42 group to target dissidents.
• Educate potential targets on the risks associated with engaging in online conversations with unknown individuals, especially on social media platforms.
• Encourage individuals to use secure communication tools and platforms that offer end-to-end encryption to protect sensitive information.
• Conduct phishing awareness training to help them recognize and avoid social engineering attacks, such as deceptive messages and links.
• Advise users to enable MFA on their accounts to add an extra layer of protection against unauthorized access.
• Ensure that all devices and software used are up to date with the latest security patches to mitigate vulnerabilities.
• Train individuals to be cautious when interacting with unknown individuals online and to be vigilant about unusual or suspicious requests.
• Implement network monitoring and intrusion detection systems to detect any unauthorized access attempts or unusual activities.
• Recommend the use of secure messaging and communication platforms that offer end-to-end encryption and protect conversations from interception.