Pierluigi Paganini
July 08, 2023
The Iran-linked threat actor TA453 has been linked to a malware campaign that targets both Windows and macOS.
TA453 is a nation-state actor that overlaps with activity tracked as Charming Kitten, PHOSPHORUS, and APT42.
TA453 in May 2023 started using LNK infection chains instead of Microsoft Word documents with macros.
The spear-phishing message appears as a benign conversation lure masquerading as a senior fellow with the Royal United Services Institute (RUSI) to the public media contact for a nuclear security expert at a US-based think tank focused on foreign affairs.
The messages demand feedback on a project called “Iran in the Global Security Context” and requested permission to send a draft for review.
“The initial email also mentioned participation from other well-known nuclear security experts TA453 has previously masqueraded as, in addition to offering an honorarium. TA453 eventually used a variety of cloud hosting providers to deliver a novel infection chain that deploys the newly identified PowerShell backdoor GorjolEcho.” reads the analysis published by Proofpoint. “When given the opportunity, TA453 ported its malware and attempted to launch an Apple flavored infection chain dubbed NokNok by Proofpoint. TA453 also employed multi-persona impersonation in its unending espionage quest.”
The researchers observed the TA453 using a variety of cloud hosting providers to deliver a new infection chain aimed at deploying a new PowerShell backdoor dubbed GorjolEcho.
Following a benign email exchange with the the target recipient, the threat actors sent a malicious link that points to a Google Script macro. Once executed the macro, the recipient is directed to a Dropbox URL. At the provided URL, a password-encrypted .rar file named “Abraham Accords & MENA.rar” was hosted. The .rar archive contained a dropper named “Abraham Accords & MENA.pdf.lnk.” It is worth noting that the use of a .rar archive and an LNK file for malware distribution deviates from TA453’s typical infection chain involving VBA macros or remote template injection. Upon opening the enclosed LNK file the PowerShell downloads additional stages from a cloud hosting provider.
The last-stage malware is the GorjolEcho backdoor, which displays a decoy PDF document, while awaiting next-stage payloads from the C2 server.
GorjolEcho maintains persistence by copying the initial stages malware in a StartUp entry.
If the target is a macOS system, TA453 sends a second email with a ZIP archive embedding a Mach-O binary that masquerades as a VPN application. The file is an AppleScript that connects to the C2 server and downloads a Bash script-based backdoor called NokNok.
“This second stage is a bash script dubbed NokNok that establishes a backdoor on the system. It generates a system identifier by combining the operating system name, hostname, and a random number. That system identifier is then encrypted with the NokNok function and base64 encoded before being used as the payload of an HTTP POST to library-store.camdvr[.]org.” continues the analysis. “The script first establishes persistence by looping indefinitely and posts every two seconds. It expects responses containing either “KillKill” or “ModuleName.” If it receives the former, it terminates the script. If it receives the latter, it executes the content of the response as a command.”
Proofpoint judges NokNok is almost certainly a port or evolution of the aforementioned GorjolEcho and is intended to serve as an initial foothold for TA453 intrusions.
NokNok has a modular structure, the researchers identified four modules used to gather info such as running processes, installed applications, and system metadata. The backdoor maintains persistence by using LaunchAgents.
NokNok is likely a port or evolution of the GorjolEcho backdoor and is used to establish an initial foothold for TA453 intrusions.
“It is likely TA453 operates additional espionage focused modules for both GorjolEcho and NokNok, respectively. The identified NokNok modules mirror a majority of the functionality of the modules for GhostEcho (CharmPower) identified by Check Point.” concludes the report that also includes Indicators of Compromise (IoCs). “This clustering of malware is strengthened by continued code similarities, including specifically the reuse of Stack=”Overflow” variable and similar logging syntax. Some of the code overlaps discussed previously are attributed to Charming Kitten by Google’s Threat Analysis group. Additionally, some of the NokNok functionality resembles Charming Kitten Mac malware reported on in early 2017.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, TA453)
