A cyberespionage group tied to the Iranian government that’s known for its sophisticated and highly targeted phishing lure was recently observed switching payload delivery tactics from document template injections to LNK files. In addition, the group seems to have ported one of its backdoors from Windows to macOS.
Known in the security industry as TA453, APT42, Charming Kitten, and Mint Sandstorm, the cyberespionage group is believed to operate on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC)’s Intelligence Organization (IRGC-IO). This is reflected in its campaigns which often target experts in the fields of Middle Eastern affairs and nuclear security, two topics that are very important to the Iranian regime.
Charming Kitten’s phishing lures often involve impersonating other researchers, journalists, and policy analysts working for think tanks, often using multiple personas as part of the same email chain to earn the victim’s trust. In a recent campaign observed by researchers from security firm Proofpoint, the attackers impersonated a senior fellow with the Royal United Services Institute (RUSI) and reached out to the media contact for a nuclear security expert at a US-based think tank asking him to review the draft for an upcoming paper called “Iran in the Global Security Context” that the institute was preparing.
The attackers even offered an honorarium and took the opportunity to introduce three other experts from the institute who were supposedly working on the project and when they didn’t get an immediate response, they used one of these three personas to follow up in the email chain and double down on the request for assistance.
Payload delivery via LNK files
The email included a link that led to a Google Sheets document that contained a macro that redirected the user to a Dropbox URL. The URL hosted a password-encrypted RAR archive called “Abraham Accords & MENA.rar” that had another file inside called “Abraham Accords & MENA.pdf.lnk.”
LNK files are shortcut files on Windows, but they can be quite powerful because they can include scripting and command line parameters. This has made them a popular payload delivery mechanism for attackers, especially since Microsoft has cracked down on Office macros.
“Using a .rar and LNK file to deploy malware differs from TA453’s typical infection chain of using VBA macros or remote template injection,” the Proofpoint researchers said. “The LNK enclosed in the RAR used PowerShell to download additional stages from a cloud hosting provider.”
The initial PowerShell payload launched by the LNK file downloaded additional base64-encoded scripting from a .txt file and decoded it to a function called Borjol. This function then opened an encrypted HTTPS connection to a JavaScript application hosted on a subdomain using the Clever Cloud service that responded back with data that’s decrypted into a PowerShell backdoor the researchers dubbed GorjolEcho.
This backdoor creates a startup entry to ensure persistence across reboots and then waits for commands from attackers. It also opens a decoy PDF file that matches the content of the phishing message. The researchers didn’t manage to capture any of the commands issued by the attackers, but they believe the backdoor was used to download espionage modules that researchers from security firm Volexity previously dubbed POWERSTAR.
A macOS version of Charming Kitten’s payload
Interestingly, when the attackers realized that one of the victims targeted in the observed campaign had an Apple Mac machine and not Windows, they followed up one week later with a payload designed for macOS presenting it as a RUSI-related VPN client needed to access a shared folder.
The payload executes a series of bash scripts that install a lightweight backdoor the researchers dub NokNok. The backdoor seems to be a port of GorjoEcho to macOS implementing much of the same functionality and having the ability to deploy additional modules.
“These NokNok modules are bash scripts, all of which share an encryption and base64 chunking routine for exfiltration,” the researchers said. “The modules define SendDataByHttp function, which collects username and system name before encrypting the information with NokNok encryption, base64 encoding it, and chunking it for transportation. Logs are also sent to the TA453-controlled C2 server. Two of the modules (Processes and Persistence) were delivered twice during our analysis.”
The researchers are certain there are additional modules for both GorjoEcho and NokNok that have yet to be identified, but these development show that this group continues to adapt the changes in the defenses and continuously improves and evolves its toolchain.