Iranian hackers are targeting Windows and macOS users

The Hacker News website has revealed that a suspected Iranian hacking group called TA453 is linked to a series of new spear phishing attacks that use malware to infect Windows and macOS operating systems.

In a report, Proofpoint noted that TA453 used various cloud-hosted services to deliver a new infection chain that deployed the newly identified PowerShell backdoor GorjolEcho. Once given the opportunity, TA453 ported its malware and attempted to launch an Apple-style infection chain called NokNok. In addition, the researchers found that TA453 also used multi-role emulation in its endless espionage campaign.

About TA453

TA453, also known as APT35, Charming Kitten, Mint Sandstorm, and Yellow Garuda, is a cyberthreat organization associated with Iran's Islamic Revolutionary Guard Corps (IRGC) that has been active since at least 2011.

Recently, cybersecurity firm Volexity highlighted the hackers' use of an updated version of a Powershell implant called CharmPower (aka GhostEcho or POWERSTAR).

In one particular cyberattack campaign discovered by Volexity in mid-May 2023, the hacking team sent phishing emails to a nuclear security expert at a U.S. think tank focused on foreign affairs, who sent a malicious link to a Google Script macro that redirected the target to a Dropbox URL hosting a RAR archive.

It's worth noting that the file contains an LNK dropper, which initiates a multi-stage process that culminates in the deployment of GorjolEcho, which then displays a decoy PDF document while secretly waiting for the next stage of the payload from the remote server. Once it realizes that the victimized target is using an Apple computer, TA453 adjusts its entire modus operandi to send a second email. The email contains a ZIP archive embedded with a Mach-O binary disguised as a VPN application, but is actually an AppleScript that connects to the remote server to download a backdoor based on a Bash script called NokNok.

In the case of NokNok, it has access to up to four modules that collect running processes, installed applications, and system metadata, and uses LaunchAgent to set persistence. These modules "mirror" most of the functionality of the modules associated with CharmPower. In addition, NokNok shared some source code that overlapped with the macOS malware code used by the group in 2017.

The TA453 attackers also used a fake file-sharing website that may fingerprint visitors and serve as a mechanism to track successful victims.

Finally, researchers say TA453 is able to constantly adapt its malware library, deploy new file types, and target new operating systems.