New AnvilEcho PowerShell trojan distribution has been sought by Iranian state-backed threat operation TA453 — also known as APT42, Damselfly, Charming Kitten, Yellow Garuda, and Mint Sandstorm — in a spear phishing attack campaign against a major Jewish personality that commenced late last month, The Hacker News reports.
After impersonating the Institute for the Study of War research director in phishing emails purporting to invite the Jewish figure to a podcast guesting, TA453 sent follow-up messages with a password-protected DocSend URL and a Google Drive URL with a ZIP archive, according to an analysis from Proofpoint. Such ZIP archive had an LNK file deploying the BlackSmith toolset, which then executes the AnvilEcho malware with intelligence gathering and exfiltration capabilities, including system reconnaissance, remote file downloading, screenshot capturing, and data uploading, the report showed. "This malware deployment attempting to target a prominent Jewish figure likely supports ongoing Iranian cyber efforts against Israeli interests. TA453 is doggedly consistent as a persistent threat against politicians, human rights defenders, dissidents, and academics," said Proofpoint researcher Joshua Miller.