Iranian Hackers Target MAC OS Users

The Iranian state-sponsored group known as TA453 has been implicated in a series of spear-phishing attacks that infect Apple macOS operating systems and Windows with malware.

According to a recent report by Proofpoint, TA453 utilized various cloud hosting providers to execute a unique infection chain, deploying the newly discovered PowerShell backdoor known as GorjolEcho. The report stated, "TA453 eventually used a variety of cloud hosting providers to deliver a novel infection chain that deploys the newly identified PowerShell backdoor GorjolEcho. When given the opportunity, TA453 ported its malware and attempted to launch an Apple flavored infection chain dubbed NokNok. TA453 also employed multi-persona impersonation in its unending espionage quest."

TA453, also recognized as APT35, Charming Kitten, Mint Sandstorm, and Yellow Garuda, is a threat group associated with Iran's Islamic Revolutionary Guard Corps (IRGC) and has been active since at least 2011. Volexity recently highlighted the group's utilization of an updated version of the PowerShell implant called CharmPower (also known as GhostEcho or POWERSTAR).

In mid-May 2023, the enterprise security firm uncovered an attack sequence where the hacking group sent phishing emails to a nuclear security expert at a U.S.-based think tank focused on foreign affairs. These emails contained a malicious link to a Google Script macro, which redirected the target to a Dropbox URL hosting a RAR archive.

Within the file, an LNK dropper was present, initiating a multi-stage process to ultimately deploy GorjolEcho. This backdoor displayed a decoy PDF document while discreetly awaiting next-stage payloads from a remote server.

Upon realizing that the target was using an Apple computer, TA453 adjusted its tactics and sent a second email with a ZIP archive containing a Mach-O binary that masqueraded as a VPN application. In reality, it was an AppleScript that connected to a remote server to download a Bash script-based backdoor called NokNok.

NokNok, in turn, retrieved up to four modules capable of collecting information on running processes, installed applications, and system metadata. It also established persistence using LaunchAgents. These modules shared many functionalities with those associated with CharmPower, and NokNok showed overlaps in source code with macOS malware previously attributed to the group in 2017.

Additionally, TA453 employed a counterfeit file-sharing website, likely for visitor fingerprinting and as a means to track successful victims.

The researchers emphasized that TA453 continues to adapt its arsenal of malware, utilizing novel file types and targeting different operating systems. They also noted that the actor persists in pursuing its unauthorized and intrusive reconnaissance goals while complicating detection efforts.