Official forum for Utopia Community
You are not logged in.
A fresh wave of spear-phishing attacks that infect both Windows and macOS operating systems with malware have been connected to the Iranian nation-state actor known as TA453.
"TA453 eventually used a variety of cloud hosting providers to deliver a novel infection chain that deploys the newly identified PowerShell backdoor GorjolEcho," Proofpoint said in a recent report.
When given the chance, TA453 ported its malware and tried to start a NokNok infection chain with an Apple flavor. In its never-ending search for intelligence, TA453 also used multiple persona impersonation. ".
TA453, also referred to as APT35, Charming Kitten, Mint Sandstorm, and Yellow Garuda, is a danger organization connected to Iran's Islamic Revolutionary Guard Corps (IRGC), which has been active at least since 2011. The adversary's use of CharmPower (also known as GhostEcho or POWERSTAR), an updated version of a Powershell implant, was recently highlighted by Volexity.
A nuclear security specialist at a U.S. company received phishing emails from the hacking group in the attack sequence, which the enterprise security firm found in mid-May 2023.
S.
foreign policy-oriented think tank based in delivered a malicious link to a Google Script macro that would direct the target to a Dropbox URL hosting a RAR archive.
Malware for Mac and Windows.
An LNK dropper that starts a multi-stage process to deploy GorjolEcho, which then displays a fake PDF document while covertly awaiting next-stage payloads from a remote server, is present in the file.
A second email containing a ZIP archive containing a Mach-O binary that poses as a VPN program but is actually an AppleScript that connects to a remote server to download the NokNok backdoor based on a Bash script is what TA453 is said to have done after realizing that the target is using an Apple computer.
For its part, NokNok fetches up to four modules, each of which has the ability to collect system metadata, information about installed applications, information about currently running processes, and persistence settings using LaunchAgents.
The modules "mirror a majority of the functionality" of the modules linked to CharmPower, with some source code overlaps between NokNok and macOS malware that the group was previously linked to in 2017.
The actor also uses a fake file-sharing website, which is probably used to track successful victims and collect visitor fingerprints.
The researchers noted that "TA453 continues to adapt its malware arsenal, deploying novel file types, and targeting new operating systems," adding that the actor "continues to work toward its same end goals of intrusive and unauthorized reconnaissance" while confounding detection efforts.
Offline