An Iranian nation-state actor known as TA453 has been implicated in a new series of spear-phishing attacks that infect both Windows and macOS operating systems with malware.
“TA453 ultimately utilized various cloud hosting providers to deliver a new infection chain deploying the newly identified PowerShell backdoor GorjolEcho,” Proofpoint said in a new report.
“When given the opportunity, TA453 attempted to implant malware and launch an Apple-flavoured infection chain called NokNok. TA453 also employed multiple persona impersonations in its never-ending espionage quest. .”
TA453, also known as APT35, Charming Kitten, Mint Sandstorm, and Yellow Garuda, is a threat group associated with Iran’s Islamic Revolutionary Guard Corps (IRGC) that has been active since at least 2011. Most recently, Volexity revealed their use of adversaries. An updated version of the Powershell implant called CharmPower (aka GhostEcho or POWERSTAR).
In a series of attacks uncovered by an enterprise security firm in mid-May 2023, a hacking team sent phishing emails to a nuclear security expert at a US-based diplomatic think tank, with access to Google Script macros. You served a malicious link. Redirect the target to the Dropbox URL that hosts the RAR archive.
Within the file is a LNK dropper that initiates a multi-step procedure to finally deploy GorjolEcho. This reveals a decoy PDF document of her while secretly awaiting the next stage payload from a remote server.
However, upon realizing the target was using an Apple computer, TA453 tweaked its tactics and claimed to have sent a second email containing a ZIP archive containing a Mach-O binary disguised as a VPN application. It’s actually AppleScript, even though it’s called It connects to a remote server and downloads a Bash script-based backdoor called NokNok.
🔐 Privileged Access Management: Learn How to Overcome Key Challenges
Discover different approaches to overcoming the challenges of privileged account management (PAM) and leveling up your privileged access security strategy.
reserve a spot
NokNok collects running processes, installed applications, system metadata, and fetches as many as four modules that can be persisted using LaunchAgent.
These modules “mirror most of the functionality” of modules related to CharmPower, and some NokNok source code overlaps with macOS malware previously attributed to this group in 2017. doing.
The attackers also used a fake file-sharing website, which we believe serves as a mechanism for fingerprinting visitors and tracking successful victims.
“TA453 continues to adapt its malware arsenal, deploy new file types, and target new operating systems,” the researchers said, noting that the attacker “has the same end goal of intrusive and fraudulent reconnaissance. We continue to work towards it,” he added, adding that it is complicating the task of detection.
