Iranian Hackers Target Israeli Citizens
Amid increasing tensions between Israel and Iran, a leading religious figure in Israel was recently targeted by a known Iranian hacker, notorious for elaborate spear-phishing campaigns. These Iranian hackers have been ramping up phishing attacks against high-profile individuals in Israel.
Researchers from Proofpoint have identified this latest campaign, conducted by the group under various aliases including TA453, APT42, Charming Kitten, Yellow Garuda, and ITG18, which is targeting organisations and individuals in Israel and across the Middle East.
According to Proofpoint, once the target responded, TA453 sent a DocSend URL, a service for secure document sharing, that was password protected. Starting in July this year, TA453 contacted multiple email addresses for a prominent Jewish figure while pretending to be the Research Director for the Institute for the Study of War (ISW). The lure purported to invite the target to be a guest on a podcast hosted by ISW. This link led to a text file containing a URL to the genuine ISW podcast, which the attackers were pretending to be.
This tactic was designed to normalise the process of clicking on links and entering passwords, preparing the target for the actual malware delivery.
In subsequent interactions, the hackers sent a Google Drive URL containing a ZIP file named “Podcast Plan-2024.zip.” This ZIP file contained an LNK file labelled “Podcast Plan 2024.lnk,” which was concealed behind a decoy PDF. The LNK file was used to deploy the BlackSmith toolset, that loaded the AnvilEcho PowerShell Trojan.
Proofpoint researchers observed that TA453 attempts to evade detection by complicating the infection chain and combining multiple malicious functions into a single PowerShell script.
The malware is tailored for intelligence collection and data exfiltration, often utilising legitimate services like Dropbox for these activities. It is important to be aware of the sophisticated ways Iranian hackers target Israelis and employ precautions.
Proofpoint | I-HLS | The Record | The Record | Economist | Hacker News
Image: Ideogram
You Might Also Read:
APT42: Iranian Hackers At Work:
If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.
- Individual £5 per month or £50 per year. Sign Up
- Multi-User, Corporate & Library Accounts Available on Request
- Inquiries: Contact Cyber Security Intelligence
Cyber Security Intelligence: Captured Organised & Accessible