Cybersecurity researchers from Proofpoint have recently observed a new espionage campaign in which Iranian state-sponsored actors tried to target Western thinktank members with backdoors.
What makes this campaign special is the fact that the attackers targeted both Apple and Windows-powered endpoints and were quick to pivot to the appropriate OS when needed.
In a report published on the Proofpoint blog, the researchers said how they uncovered the group, known as TA453 (also known as Charming Kitten, Mint Sandstorm or APT42) targeting US-based nuclear security experts with phishing emails. In these emails, the attackers would assume the identity of known professors, thinkers, and other intellectuals engaged in nuclear energy research, and would ask the victim to approve the sending of a research paper.
In a screenshot of an email, shared in the report, the group was seen impersonating professor Karl Roberts, Senior Fellow and Deputy Director of Terrorism and Conflict at RUSI (Royal United Services Institute).
Victims that agree to receive the “paper” would actually get GorjolEcho, which Proofpoint describes as a “newly identified PowerShell backdoor”. When the attackers realized their victims were using a Mac device, they quickly pivoted and tried to distribute NokNok – an “Apple flavored infection chain”.
NokNok, Proofpoint argues, is capable of fetching four modules, which can gather running processes, install applications, harvest system metadata, and achieve persistence. These modules are almost identical to the ones found in CharmPower, as the researchers found overlapping code between the two. Finally, the group was seen sharing a fake website that is most likely set up to harvest victim fingerprints, although the researchers could not be 100% certain of this.
Analysis: Why does it matter?
If Proofpoint’s assessments are correct, TA453 is under the direct command of the Islamic Revolutionary Guard Corps (IRGC), and the IRGC Intelligence Organization (IRGC-IO). In that case, TA453 is a state-sponsored actor working on behalf of the Teheran government. As Teheran is currently engaged in negotiations with Western powers over its nuclear weapons and facilities development, that would mean that Iran is using all available means to establish as good of a negotiating position as it possibly can.
“As Joint Comprehensive Plan of Action (JCPOA) negotiations continue and Tehran finds itself increasingly isolated within its sphere of influence, TA453 is focusing a large majority of its targeting efforts against the experts likely informing these foreign policies,” Proofpoint says.
The report also demonstrates the agility of Charming Kitten, and how fast it can shuffle between Windows and Mac malware, in search of valuable information. Furthermore, in the attack, the group used multiple identities of known nuclear researchers to try and add credibility to the entire campaign. It reinforces recent warnings made by cybersecurity experts that even email chains, in which multiple people are involved, shouldn’t always be trusted.
TA453 is a known threat actor, one that’s been active since at least 2017, and probably even before that. Proofpoint has been tracking it for years now, and concluded that the group mostly targets academics, researchers, diplomats, dissidents, journalists, and human rights workers. Its MO usually includes web beacons in message bodies, before trying to steal their target’s credentials. Usually, the attackers would engage in benign conversations with their victims for weeks, before trying to slip in any malware.
But the group isn’t targeting just people’s computers. Apparently, last year it tried to lure some people out in the open, in order to kidnap them. Most of its targets are in the Western world, with some being Israelis, as well.
What have others said about the campaign?
In its writeup on the story, CybersecurityNews stressed how far the threat actor was willing to go to avoid being detected, and what it’s capable of doing in order to limit disruptions from threat researchers.
“To evade detection efforts and carry out cyber espionage operations against its target of interest, TA453 continues to dramatically modify its infection chains,” the publication states. “The employment of Google Scripts, Dropbox, and CleverApps shows that TA453 continues to adhere to a multi-cloud strategy in its efforts to probably limit disruptions from threat hunters,” it concluded.
TechCentral, on the other hand, focused on the threat actors’ agility, as well as the fact that Mac-powered devices are being increasingly targeted.
“The incident serves as a reminder of the adaptability of the threat actors,” the publication states. “In this instance, LNK files were sent instead of Microsoft Word documents with macros, and swiftly ported to macOS when the opportunity arose.”
As for Apple, the report states Macs are becoming “progressively more popular in the enterprise. Hence, they became “correspondingly more of a target for threat actors.”
Discussing the findings with SC Media, senior threat researcher at Proofpoint, Joshua Miller, said the campaign appears to be “extremely targeted”, as no more than 10 people were identified having received phishing emails from the group. Miller also added that no one was actually compromised.
If you want to learn more, make sure to read our in-depth guide on what phishing is, as well as everything you need to know about phishing. You should also check out our guide for the best ID theft protection, as well as best free antivirus programs.