Iranian Attackers Upgrade Social Engineering Tactics

Iranian threat actor TA453 has been sending spear-phishing emails that impersonate real individuals from Western foreign policy research institutions.


Iranian threat actor TA453 has been sending spear-phishing emails to individuals specializing in Middle Eastern affairs, nuclear security and genome research with a social engineering twist: As opposed to a one-on-one conversation, the known actor has been including multiple fake personas on the email chain in hopes of making the attack appear more legitimate.

TA453, which has activity overlaps with Charming Kitten and Phosphorous, has been active since at least 2012 and has historically launched malware campaigns that have aligned with priorities of Iran’s Islamic Revolutionary Guard Corps (IRGC) in the data it collects and the victims it targets (typically dissidents, academics, diplomats and journalists). Researchers observed TA453 using the tactic in mid-2022 in emails impersonating real individuals from Western foreign policy research institutions. The end goal of the campaigns so far appears to be collecting basic system information, although researchers with Proofpoint said they have not yet seen code execution or command and control (C2) capabilities.

“This is the latest in TA453’s evolution of its techniques and can be mitigated in large part by potential targets, such as those specializing in Middle Eastern affairs or nuclear security, by being cautious when they receive outreach from unexpected sources, even those that appear legitimate,” said researchers with Proofpoint in a Tuesday analysis.

In one observed campaign in June, threat actors reached out to two targets at an unnamed university, including a prominent academic that is involved in nuclear arms control. The actors claimed to be the director of political research with the Pew Research Center wanting to discuss an article referencing a possible clash between the U.S. and Russia. While they used the actual name and title of this Pew Research Center director, Proofpoint researchers said they have “no specific indication” that spoofed individuals were victimized by TA453 (though the group has previously used compromised email accounts to send phishing emails).

"As users have gotten better at identifying phishing emails, threat actors have to evolve their methods and techniques, including how they go about making their emails appear increasingly convincing.”

Also CC-ed on the email were three other spoofed individuals. After the target stopped responding for a week, the threat actors followed up under the initial personal with a OneDrive link that they purported was the article, and four days later followed up again under one of the other CC-ed personas, attempting to convince the target of the legitimacy of the campaign and resending the same OneDrive link.

This OneDrive link hosted malicious documents, which are the most recent version of a remote template document that has been previously discovered by PwC being used by TA453. This downloaded template has three macros, which collect data like username, the list of running processes and user public IP, and exfiltrate that information via the Telegram API.

“At this time, Proofpoint has only observed the beaconing information and has not observed any follow-on exploitation capabilities,” said researchers. “The lack of code execution or command and control capabilities within the TA453 macros is abnormal. Proofpoint judges that infected users may be subject to additional exploitation based on the software identified on their machines.”

Researchers said that the technique, which has been previously used by business email compromise (BEC) group Cosmic Lynx, is “intriguing” because attackers must leverage more resources and email addresses. TA453 appears to continue to evolve its tactics, with researchers observing the threat actor recently sending a blank email in an attempt to bypass security detection, then responding to the email with other emails CC-ed on the thread in order to make it appear as if there is an established connection between the sender and recipient.

“In general, threat actors will adopt tactics used by others so long as they think they will be useful for their campaigns,” said Sherrod DeGrippo, VP of threat research and detection at Proofpoint. “Social engineering is a component of nearly every threat actor’s toolbox who uses email as an initial access vector. As users have gotten better at identifying phishing emails, threat actors have to evolve their methods and techniques, including how they go about making their emails appear increasingly convincing.”