In a recent cybersecurity incident, an Iran-linked cyberespionage group known as TA453, also publicly recognized as Charming Kitten, APT42, Mint Sandstorm, and Yellow Garuda, targeted a US-based think tank with new macOS malware. The group, which is believed to operate in support of the Islamic Revolutionary Guard Corps (IRGC), has been known to adapt its malware arsenal and target new operating systems.
The Attack and Its Targets
In mid-May 2023, TA453 sent a benign conversation lure masquerading as a senior fellow with the Royal United Services Institute (RUSI) to the public media contact for a nuclear security expert at a US-based think tank focused on foreign affairs. The email solicited feedback on a project called “Iran in the Global Security Context” and requested permission to send a draft for review. The initial email also mentioned participation from other well-known nuclear security experts TA453 has previously masqueraded as, in addition to offering an honorarium.
The New Malware: GorjolEcho and NokNok
TA453 deployed a novel infection chain that deploys the newly identified PowerShell backdoor GorjolEcho. When given the opportunity, TA453 ported its malware and attempted to launch an Apple flavored infection chain dubbed NokNok by Proofpoint. The NokNok backdoor was designed to work on Mac operating systems and was delivered to the target via email with a series of instructions.
The NokNok backdoor establishes a backdoor on the system, generates a system identifier, and communicates with a server controlled by TA453. It can start and stop commands from the threat actor and is likely to download espionage-focused modules.
The Impersonation Strategy
TA453 continues to iterate and use benign messages to target experts in Middle Eastern affairs and nuclear security. As Joint Comprehensive Plan of Action (JCPOA) negotiations continue and Tehran finds itself increasingly isolated within its sphere of influence, TA453 is focusing a large majority of its targeting efforts against the experts likely informing these foreign policies.
Conclusion
TA453 continues to significantly adapt its infection chains to complicate detection efforts and conduct cyber espionage operations against its targets of interest. The use of Google Scripts, Dropbox, and CleverApps demonstrate that TA453 continues to subscribe to a multi-cloud approach in its efforts to likely minimize disruptions from threat hunters. TA453’s willingness to port malware to Mach-O also demonstrates how much effort the threat actor is willing to put into pursuing its targets. Regardless of the infection method, TA453 continues to deploy modular backdoors in an effort to collect intelligence from highly targeted individuals.
As TA453 continues to use legitimate cloud hosted services, it is recommended to hunt for applicable Emerging Threats INFO network signatures in network traffic. This case underscores the importance of maintaining robust cybersecurity measures and staying vigilant to the evolving tactics and techniques of threat actors.