TA453, an Iranian-aligned cybercriminal group, is harvesting credentials by employing multi-persona impersonation. This article shares details about TA453, its Korg remote template injection, how TA453’s phishing campaign works, how to check if you are a target, and how to protect yourself.
It seems new cybercrime tactics are the latest craze cybercriminals are adopting these days. There is news of fresh and signature malicious tactics for causing mayhem to steal data and deliver payloads.
The latest in this line is an Iranian sock puppet phishing creation. The sophisticated phishing tactic incorporates multiple impersonation accounts to lure victims, deliver malicious payloads that collect confidential information from the victim’s system and exfiltrate it to the cybercrime group. Let us see who the cybercriminal behind this sock puppet campaign are and how they carry out their malicious intentions.
Who is TA453?
TA453 is the name of the Iranian-aligned cybercriminal group behind the sock puppet campaign targeting innocent users with the help of multiple impersonation accounts.
TA453 is a part of the IRGC (Islamic Revolutionary Guard Corps) and has been causing malice in the past by impersonating journalists to target policy experts. TA453 is known for its unique social engineering technique that experts call the Multi-Persona Impersonation, which utilizes two or more personas on a single email thread to boost the legitimacy and effectiveness of the phishing campaign.
This recent sock puppet campaign is the latest in their line of targeting Middle Eastern affairs and nuclear security structures.
Who does the TA453 Target?
TA453 delves deep into masquerading and impersonation campaigns by posing as policy-adjacent individuals or journalists. The threat actor establishes trust by offering help to collaborate with their victims and has targeted academics, journalists, diplomats, human rights workers, and policymakers the most.
TA453’s malicious actors initiate benign conversations and social engineering tactics to dupe victims and harvest their credentials. Most of the cybercriminal group’s past activity involved one-to-one discussions. According to Proofpoint’s researchers, the approach shifted into a new one in June 2022.
What is TA453’s Remote Template Injection?
TA453’s latest campaigns included OneDrive links with malicious documents. The documents are TA453’S remote template injection documents with password protection that download the macro-enabled template documents from 354pstw4a5f8.filecloudonline[.]com. A similar filecloudonline[.]com host is observed in multiple TA453 sock puppet campaigns with the download template Korg.
Korg includes three macros, Module1.bas, Module2.bas, and ThisDocument.cls that collect and exfiltrate information such as:
- The victim’s username
- The list of running processes
- The victim’s public IP (Internet Protocol) address from my-ip.io
All the information is exfiltrated using Telegram API. According to Proofpoint, there is no follow-up on TA453’s exploitation capabilities as it has only accumulated information, which is an abnormal approach for TA453 macros. The lack of code execution or C2 (Command and Control) capabilities means that infected devices and victims could face further exploitation.
How do TA453’s Campaigns Work, and How have They Evolved?
TA453 took on a new approach when the cybercriminal group masqueraded as Aaron Stein, the Director of Research at FRPI. Aaron Stein, the threat actor, initiated conversations by inquiring about the Gulf States, Abraham Accords, and Israel aimed as a pretext, but these were later rumored to be specific intelligence questions tasked to the cybercriminal group.
As Aaron Stein, the cybercriminals employed its signature Multi-Persona Impersonation and started CCing (Carbon Copy-ing) others, namely Richard Wike, the Director of Global Attitudes Research at PEW. Here is a look at one such email shared by Proofpoint.
(TA453’s New Media Campaign Email, Source: Proofpoint)
Following the above email, the threat actor initiated an email threat, this time initiating from Richard Wike’s side, soliciting responses from the target. Once the email conversation flows, the threat actors send phishing links designed to harvest the credentials of victims, oblivious to the fact that they are duped.
TA453 Targets Research Specialists
TA453 also targeted genome research specialists masquerading as one Harold Ott and used two other accounts under the names Clair Parry and Dr. Andrew Marshall. The former is the supposed Assistant Director at the Center for Universal Health, and the latter is the Chief Editor of Nature Biotechnology.
Three Multi-Persona Impersonations made this email threat when the threat actor initiated dialogue as Harald, bringing the topic of organ regeneration as bait. After email conversations, Harald delivered a OneDrive link. The link downloaded a malicious word document to the victim’s system under the name, “Ott-Lab 371.docx.” The document was exploitation of Remote Template Injection and downloaded “Korg,” as reported by Proofpoint and PwC.
TA453’s Latest Group Attacks
TA453 did not stop there and initiated another attack campaign as Carroll Doherty. The threat actor reached out to two academics at the same university who were involved in nuclear arms control. This time, the topic of discussion was a possible clash between the US and Russia.
The Multi-Persona approach took another turn as this time it included three additional threat actor-controlled email accounts to target both victims, namely “Daniel Krcmaric,” “Aaron Stein,” and “Sharan Grewal.”
After getting an initial response, the secondary email did not get the desired response. The threat actor then sent two additional emails with the malicious OneDrive link that downloaded the document, “The possible US-Russia clash.docx.”
The threat actor also sent a third email as Aaron, dropping his previous persona, Carroll, from the email thread. The email included an apology and the same OneDrive link with the document that used the remote template injection, which downloads Korg.
Are You a Target of TA453’s Sock Puppet Phishing Campaign?
Researchers at Proofpoint, PwC, and the US Department of Justice have been assessing all evidence regarding TA453’s campaign. The threat actor operates in support of the IRGC (Islamic Revolutionary Guard Corps), and its goals resonate with the IRGC-IO priorities.
TA453 selects its targets based on three things:
- Victimology
- Techniques
- Infrastructure
The threat actor has taken a simple idea that has formed a sophisticated approach to lure victims and harvest their credentials. With its past targeting of journalists, academics, and researchers, you might get a clear idea if you are a target of this campaign. Regardless, it is always best to stay protected and avoid such emails.
How to Keep Safe From the TA453 Phishing Campaign?
Subgroups of the TA453 cybercriminal group send malicious links in the first email or may send them after an email conversation, including various personas. There are many indicators of a possible compromise that may help identify if any email conversation, especially Multi-Persona Impersonations, such as:
- Presence of Gmail, Outlook, Hotmail, or AOL email addresses as opposed to institutional ones.
- Presence of additional email accounts in the CC.
- Replies to black emails.
- Requests to collaborate or inquiries on certain topics relating to Middle Eastern issues.
- Presence of malicious links often to Zoom Calls, OneDrive documents, and draft attachments.
Final Words
Cybercriminals are evolving their tactics regularly, and the TA453 sock puppet phishing campaign for delivering payloads is an effective approach whose endpoint is still questionable. Thus, email security and phishing protection should be a top priority for each individual. As a precautionary measure, you should look for the above indicators of compromise and refrain from engaging with malicious phishing emails.