The Iranian nation-state actor, TA453, has been implicated in a fresh series of spear-phishing attacks that target both Windows and macOS operating systems with malware.
According to a report by Proofpoint, TA453 utilized various cloud hosting providers to implement a unique infection chain, deploying a newly identified PowerShell backdoor called GorjolEcho. In their pursuit of espionage, TA453 adapted their tactics to include an Apple-centric infection chain named NokNok, employing multi-persona impersonation techniques.
TA453, also known as APT35, Charming Kitten, Mint Sandstorm, and Yellow Garuda, is a threat group associated with Iran’s Islamic Revolutionary Guard Corps (IRGC) and has been active since at least 2011.
Recent findings by Volexity highlighted TA453’s utilization of an updated version of the Powershell implant known as CharmPower (also referred to as GhostEcho or POWERSTAR).
In a mid-May 2023 attack sequence discovered by an enterprise security firm, TA453 targeted a nuclear security expert at a U.S.-based foreign affairs think tank through phishing emails. These emails contained a malicious link leading to a Google Script macro, redirecting the victim to a Dropbox URL hosting a RAR archive. Within the file, an LNK dropper initiated a multi-stage procedure to deploy GorjolEcho, which displayed a decoy PDF document while waiting for next-stage payloads from a remote server.
Upon identifying that the target used an Apple computer, TA453 adjusted its approach by sending a second email containing a ZIP archive that embedded a Mach-O binary disguised as a VPN application.
However, the binary was, in fact, an AppleScript that connected to a remote server to download a Bash script-based backdoor named NokNok. NokNok was capable of fetching up to four modules, gathering information on running processes, installed applications, system metadata, and setting persistence using LaunchAgents.
The researchers noted that NokNok’s modules closely resembled those associated with CharmPower, with some source code overlaps with macOS malware previously attributed to TA453 in 2017.
Additionally, the threat actor employed a fake file-sharing website likely designed to identify visitors and track successful victims. TA453 continually adapts its malware arsenal, deploying novel file types, and targeting new operating systems while striving to achieve its goals of intrusive and unauthorized reconnaissance, simultaneously complicating detection efforts.
