Iranian Hackers Targets Windows and macOS Users
Iranian Hackers Exploit Windows and macOS Users with Advanced Malware,
A recent report from Proofpoint has connected a group known as TA453, an Iranian nation-state actor, to a series of targeted spear-phishing attacks. These attacks specifically aim at infecting both Windows and macOS operating systems with a sophisticated form of malware.
According to the report, TA453 utilized various cloud hosting providers to execute a new infection technique, deploying a recently discovered PowerShell backdoor called GorjolEcho. Additionally, the hackers attempted to launch an Apple-oriented infection method called NokNok and employed multi-persona impersonation in their relentless pursuit of espionage.
TA453’s activities highlight the evolving tactics and capabilities of Iranian hackers, emphasizing the importance of robust cybersecurity measures for Windows and macOS users to safeguard against such attacks.
TA453, also known as APT35, Charming Kitten, Mint Sandstorm, and Yellow Garuda, is a threat group associated with Iran’s Islamic Revolutionary Guard Corps (IRGC), and it has been actively operating since at least 2011. Recently, Volexity, an enterprise security firm, brought attention to the group’s utilization of an updated version of a Powershell implant named CharmPower (also known as GhostEcho or POWERSTAR).
During an attack sequence uncovered by the security firm in mid-May 2023, the hacking team employed phishing emails to target a nuclear security expert at a U.S.-based think tank specializing in foreign affairs. These emails contained a malicious link leading to a Google Script macro, which, upon activation, redirected the target to a Dropbox URL hosting a RAR archive.
TA453’s Advanced Malware Tactics: Exploiting Apple Users and Evading Detection
Within the file, an LNK dropper initiates a multi-stage process to deploy GorjolEcho. GorjolEcho then presents a decoy PDF document while secretly awaiting next-stage payloads from a remote server.
Upon discovering that the target uses an Apple computer, TA453 adjusts its approach. It sends a second email containing a ZIP archive that embeds a Mach-O binary posing as a VPN application. In reality, it is an AppleScript that connects to a remote server to download a Bash script-based backdoor called NokNok.
NokNok fetches up to four modules capable of collecting running processes, installed applications, system metadata, and establishing persistence via LaunchAgents. These modules resemble those associated with CharmPower, and NokNok shares some source code similarities with macOS malware previously attributed to the group in 2017.
The threat actor also employs a deceptive file-sharing website, likely used for visitor fingerprinting and tracking successful victims.
Researchers note that TA453 continues to adapt its malware arsenal, employing new file types and targeting different operating systems. The actor pursues intrusive and unauthorized reconnaissance while deliberately complicating detection efforts, for more..