The cyber criminal group TA453, which is associated with Iran, is increasingly using new attack methods and aggressively addressing new targets. This is the preliminary result of ongoing investigations by the cybersecurity company Proofpoint.
Since late 2020, Proofpoint researchers have observed discrepancies in TA453's phishing activity (which overlaps with groups publicly known as "Charming Kitten", "PHOSPHORUS" and "APT42"), with the group using new methods and others targets than in the past.
TA453 also known as APT42
Previous email campaigns by TA453 had almost always targeted academics, researchers, diplomats, dissidents, journalists and human rights activists, using web beacons in the body of the message before ultimately attempting to harvest the target's credentials. Such campaigns can start with weeks of harmless conversations about accounts created by the actors before launching the actual attack.
TA453's novel campaigns target medical researchers, an aerospace engineer, a real estate agent and travel agents, among others. They use new phishing techniques for TA453, including compromised accounts, malware, and controversial topic baits. It is likely that the new procedures reflect the Revolutionary Guard's changing intelligence requirements. The novel activity also provides experts with a better understanding of the Revolutionary Guard's mandate and a glimpse of TA453's potential support for covert and "kinetic" operations.
Expected behavior
Proofpoint tracks about six subsets of TA453, primarily differentiated by audiences, techniques, and infrastructure. Regardless of the subgroup, TA453 is typically aimed at academics, policymakers, diplomats, journalists, human rights defenders, dissidents and researchers with expertise in the Middle East.
The email accounts registered by TA453 tend to be thematically consistent with their targets, and cyber criminals prefer to use web beacons in their email campaigns. TA453 relies heavily on innocuous conversations to contact targets — Proofpoint observed more than 2022 such campaigns in 60. TA453 almost always sends credential-gathering links with the intention of gaining access to the target's inbox and spying on email contents. Some subgroups chat for weeks before sending out the malicious links, while others immediately send out the malicious link in the first email.
Novel methods and target groups
Proofpoint's experts have observed a number of novelties in TA453's procedures that have received little, if any, public attention:
Compromised Accounts
- At times, a subset of TA453 used compromised accounts to target individuals instead of using actors-controlled accounts.
- This group used URL shorteners such as bnt2[.]live and nco2[.]live, which redirected to typical TA453 pages for collecting credentials.
- For example, in 2021, about five days after a US official spoke publicly about negotiations on the Iran nuclear deal, the official's press secretary was attacked via a compromised email account belonging to a local reporter.
Malware
- In the fall of 2021, GhostEcho (CharmPower), a PowerShell backdoor, was sent to various diplomatic missions in Tehran.
- Throughout Fall 2021, GhostEcho has been evolving to evade detection, as evidenced by changes to obfuscation and the kill chain.
- GhostEcho is a relatively mild first stage of the attack designed to provide espionage-focused follow-up abilities, as documented by Checkpoint Research.
- Based on similarities in delivery techniques, Proofpoint suspects GhostEcho was also delivered to women's rights activists in late 2021.
Lure with controversial issues
- Notably, TA453 used a fictional character, Samantha Wolf, for confrontational social engineering decoys designed to exploit the targets' sense of insecurity and fear in order to trick them into responding to the cybercriminal's emails.
- Samantha sent these lures, which cover topics such as car accidents and common grievances, to US and European politicians and government agencies, a Middle East energy company and a US-based scientist.
About Proofpoint Proofpoint, Inc. is a leading cybersecurity company. The focus for Proofpoint is the protection of employees. Because these mean the greatest capital for a company, but also the greatest risk. With an integrated suite of cloud-based cybersecurity solutions, Proofpoint helps organizations around the world stop targeted threats, protect their data, and educate enterprise IT users about the risks of cyberattacks.