A notorious Iranian nation-state hacking group known as TA453, or Charming Kitten, has recently been discovered launching spear-phishing attacks targeting experts in Middle Eastern affairs and nuclear security. Recently Proofpoint has unveiled its sophisticated tactics, such as multi-persona impersonation and a variety of infection chains, to deliver malware on both Windows and macOS operating systems.
TA453’s Tactics and Targeting:
TA453’s campaign began with benign emails sent to experts in a US-based think tank. The emails posed as a senior fellow from the Royal United Services Institute (RUSI) soliciting feedback on a project called “Iran in the Global Security Context.” The group used the tactic of multi-persona impersonation, mentioning participation from well-known nuclear security experts, to establish rapport with the targets. TA453’s primary targets are experts influencing foreign policies related to the Joint Comprehensive Plan of Action (JCPOA) and Middle Eastern affairs.
Infection Chain: GorjolEcho and NokNok Malware:
TA453 utilized a novel infection chain by leveraging cloud hosting providers. They deployed a newly identified PowerShell backdoor called GorjolEcho on Windows systems. TA453 adapted its approach for macOS targets and attempted to launch an Apple-specific infection chain called NokNok. These malware variants establish persistence, exfiltrate data, and provide a backdoor for further intrusions.
GorjolEcho: The GorjolEcho malware operates on Windows systems, displaying a decoy PDF document while encrypting and exfiltrating information to a command and control (C2) server. It can execute commands from the threat actor and potentially download additional espionage-focused modules.
NokNok: The NokNok malware was specifically designed for macOS. It masquerades as a VPN application but is, in fact, an AppleScript that establishes a backdoor connection to a remote server. NokNok collects system information, runs processes, and installs applications, and it can set persistence on the infected system.
Modularity and Code Similarities:
Both GorjolEcho and NokNok malware demonstrate modular characteristics, allowing TA453 to adapt their functionality to specific targets. These modules share similarities with previously identified TA453 malware, including CharmPower and GhostEcho. The code overlaps suggest the ongoing development and evolution of TA453’s backdoor capabilities.
Attribution and Motivation:
Proofpoint attributes this campaign to TA453 with high confidence based on code similarities, campaign tactics, and other evidence. The group is linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) and operates in support of the IRGC Intelligence Organization (IRGC-IO). TA453’s cyber espionage activities align with the reported priorities of the IRGC-IO.
Conclusion:
TA453, an Iranian cyber espionage group, continues to evolve its tactics and employ multi-platform malware to target experts in Middle Eastern affairs and nuclear security. By utilizing benign messages, multi-persona impersonation, and a variety of infection chains, the group seeks to infiltrate the systems of its targets. The modular nature of their malware variants, such as GorjolEcho and NokNok, allows for flexibility and adaptability. Organizations and individuals involved in these fields should remain vigilant and employ threat-hunting techniques to detect and mitigate TA453’s activities.
