Iran-linked TA453 used new Multi-Persona Impersonation technique in recent attacks

Iran-linked threat actors target individuals specializing in Middle Eastern affairs, nuclear security and genome research.

In mid-2022, Proofpoint researchers uncovered a cyberespionage campaign conducted by Iran-linked TA453 threat actors.

The campaign aimed at individuals specializing in Middle Eastern affairs, nuclear security and genome research. Threat actors used at least two actor-controlled personas on a single email thread to target their victims.

TA453 is a nation-state actor that overlaps with activity tracked as Charming Kitten, PHOSPHORUS, and APT42.

The attack chain starts with phishing emails impersonating legitimate individuals at Western foreign policy research organizations, including the Pew Research Center, the Foreign Policy Research Institute (FRPI), the U.K.’s Chatham House, and the scientific journal Nature.

Since mid-June 2022. the attackers employed a new technique named Multi-Persona Impersonation (MPI), wherein they used not one but several actor-controlled personas in the same email conversation to trick the victims into believing that the message is legitimate.

“In mid-2022, TA453 deployed a social engineering impersonation technique informally called Multi-Persona Impersonation in which the threat actor uses at least two actor-controlled personas on a single email thread to convince targets of the legitimacy of the campaign.” reads the analysis published by Proofpoint experts. “This is an intriguing technique because it requires more resources be used per target—potentially burning more personas—and a coordinated approach among the various personalities in use by TA453.”

TA453 starts a conversation masquerading using a message that includes a variety of questions intended to generate a dialogue about topics of interest in the Middle East area. The questions are actually meant to establish a pretext for sending a follow-up credential harvesting link or delivering a malicious document.

The embedded link is a OneDrive link that downloads a Microsoft Office document.

A day after the initial email, one of the personas involved in the discussion responded to the email thread likely in an attempt to establish the veracity of the request and solicit a response from the target. This second message doesn’t include malicious documents or links. 

The document relies on the remote template injection to download Korg, which is a malicious template consisting of three macros (Module1.bas, Module2.bas, and ThisDocument.cls) that are designed to gather usernames, a list of running processes, and the public IP addresses of the victims.

Gathered data are then exfiltrated using the Telegram API. 

“At this time, Proofpoint has only observed the beaconing information and has not observed any follow-on exploitation capabilities. The lack of code execution or command and control capabilities within the TA453 macros is abnormal. Proofpoint judges that infected users may be subject to additional exploitation based on the software identified on their machines.” continues the report.

Proofpoint assesses that TA453 operates in support of the Islamic Revolutionary Guard Corps (IRGC), the security firm tracks multiple subgroups of TA453 differentiated primarily by victimology, techniques, and infrastructure.

“The use of MPI by TA453, while the group’s latest technique, is likely to continue to evolve and morph as this group hunts for intelligence in support of the IRGC. Proofpoint researchers have already started to observe this potential next step with TA453 attempting to send a blank email, then respond to the blank email all while including all their “friends” on the CC line. This is likely the threat actor’s attempt at bypassing security detection.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Iran)

[adrotate banner=”5″]

[adrotate banner=”13″]