TA453 now uses more sophisticated techniques for phishing attacks.
TA453 is an Iranian hacking group that is known to be operating in the wild by targeting victims through phishing emails.
The Iranian hacking group has been detected to have come up with new techniques that they deploy during their phishing attacks.
The new strategy employed by TA453 makes it necessary for them to exert a great deal more effort in order to execute their phishing attacks.
The Iranian hackers have been utilizing a variety of personalities and email accounts to give the impression that they are having a legitimate dialogue with their targets.
The possible victims are then drawn into an intricate and realistic discussion that is carried out by non-existent personas created by the hackers.
When they lure victims to their phishing trap, the email they send will also include another fake persona that can be noticed in the CC section. That fake persona is another character that the hackers created, and they have full control of that email.
TA453's New Phishing Techniques
TA453's new phishing techniques have been first discovered by the researchers at Proofpoint. According to BleepingComputer, this technique is referred to as multi-persona impersonation (MPI), and it makes use of the psychological principle known as the social proof to cloud rational reasoning and aims to use trustworthiness in its phishing attacks.
In a typical TA453 operation, the actor pretends to be a policy maker or a journalist, asking the target to work with them in collaboration. These Iranian hackers have a reputation for targeting journalists, policymakers, academics, and diplomats.
However, Proofpoint noticed a change in strategy implemented by TA453 beginning in June 2022. Iranian hackers have a reputation for engaging in seemingly innocent chats that later lead to deploying URLs that collect credentials.
Previously, TA453 would have one-on-one interactions with their targets, but towards the middle of the year 2022, this practice was discontinued.
TA453's Targeted Phishing
A threat actor from TA453 starts a conversation by sending an email to the target while masking their identity as someone that has the same level of significance as their target.
The hacker then asks a variety of carefully crafted questions intended to generate a dialogue about political questions. In most cases, the purpose of these questions is to establish a pretext, with the primary purpose of establishing a false pretense for sending a follow-up link.
With some familiarity, in the following email exchanges, it can be noticed that the actors would CC another like-minded fake person that has been created by the group into the thread.
When trust has been built, the malicious actors will proceed to a documented file or a link to the target, saying it contains more information, but hidden underneath those links are malicious payloads waiting to be deployed on the device of the target.
TA453 Can Cause These Possible Damages
The TA453 hacking group appears to be reusing the specific filecloudonline[.]com host in numerous phishing campaigns.
According to Proofpoint, "The downloaded template, dubbed Korg by Proofpoint, has three macros: Module1.bas, Module2.bas, and ThisDocument.cls."
Proofpoint adds, "The macros collect information such as username, list of running processes along with the user's public IP from my-ip.io and then infiltrates that information using the Telegram API."
Furthermore, researchers find it strange that the TA453 macros do not have the capability to execute code or to perform command and control functions.
Additionally, it has also been determined that based on the software that was found on the infected computers, users are made vulnerable to more forms of exploitation.