Posted on July 7, 2023 at 7:49 AM

Iranian Hackers Use Sophisticated Malware To Target macOS And Windows Users

TA453, a state-sponsored hacker group in Iran, has been associated with a new wave of spear-phishing hacking campaigns. These campaigns have been found to infect Windows ad macOS operating systems with malicious malware.

Iranian hackers deploy malware to target macOS and Windows

The activity of the TA453 hacker group was revealed in a new report by Proofpoint researchers. The report said that the hacker group deployed a wide range of cloud hosting providers to launch a novel infection chain that will deploy a newly-detected PowerShell backdoor that is known as GorjolEcho.

In the report, the Proofpoint researchers said that they detected the hacking activity in mid-May 2023. The attack was attributed to the TA453 hacker group that also goes by other names such as APT42, Charming Kitten, Mint Sandstorm, and Yellow Garuda.

This hacker group conducted a phishing attack by creating a conversation with targets. The hackers tricked the targets by claiming to be a senior fellow with the Royal United Services Institute (RUSI) for nuclear security experts located in a think tank in the US focusing on foreign affairs.

The email sent by the hackers sought feedback pertaining to a project known as “Iran in the Global Security Context.” The hacker later requested the recipient’s permission to send a draft for review. In the original email, the hackers had mentioned that the “project” they were working on had also attracted the participation of other popular nuclear security experts.

“TA453 eventually used a variety of cloud hosting providers to deliver a novel infection chain that deploys the newly identified PowerShell backdoor GorjolEcho. When given the opportunity, TA453 ported its malware and attempted to launch an Apple-flavoured infection chain dubbed NokNok by Proofpoint. TA453 also employed multi-personal impersonation in its unending espionage quest,” the Proofpoint report said.

The TA453 hacker group has been associated with the Iranian Islamic Revolutionary Guard Corps (IRGC). This group has remained active since 2011. The group has also been associated with a series of hacking campaigns recently.

One of the most recent attacks launched by this hacker group was when Volexity highlighted that hackers have been using an updated version of a Powershell implant known as CharmPower. This implant also goes by other names, such as GhostEcho or POWERSTAR.

The file that was sent to the targets in the form of an email delivered a malicious link to a Google Script macro. The macro later redirected this target to a Dropbox URL that hosted a RAR archive.

The file in question also contained an LNK dropper. This dropper kick-started a multi-stage procedure that was later used to deploy the GorjolEcho tool. This tool later displayed another PDF document which was the decoy, in order to minimize the chances of a possible exploit being detected. The hackers later waited for the next-stage payloads from a remote server.

Hackers deployed the NokNok backdoor         

Once the hacker group detected that the intended target was using an Apple computer, the TA453 hacker group is believed to have changed the modus operandi by sending a second email that contained a ZIP archive. This second message also contained a Mach-O binary that appeared to be a VPN application.

However, this was not what was happening in reality. Instead, an AppleScript was used on a remote server to download a Bash script-based backdoor that is known as NokNok. The NokNok backdoor is used to fetch as many as four modules that can gather a wide range of information from the target.

The NokNok backdoor collects information such as the running processes, installed applications, and system metadata. The backdoor is used to set persistence through LaunchAgents.

The modules that are used in the attack appear to be the same as the majority of the functionality of the other modules that are linked with CharmPower. The NokNok backdoor shares the same source code that usually overlaps with the macOS malware. This malware was previously linked to this group in 2017.

The threat actor group has also used a fake file-sharing website that likely works by having a fingerprint of the visitors. The website later operates as a mechanism that is used to track the successful victims.

The report has also said that TA453 has continued to grow its malware arsenal. This group usually deploys novel file types and later targets the new operating systems. The researchers have said that the threat actors have continued to work towards the same objectives.

The end goal of the project involves intrusive and unauthorized reconnaissance. The hackers have also taken measures to avoid detection by complicating the efforts used to detect the threat and ensure that it is locked out of the intended victim’s system.