Cyber Security

Charming Kitten hackers use new ‘NokNok’ malware for macOS

Security researchers observed a new campaign they attribute to the Charming Kitten APT group where hackers used new NokNok malware that targets macOS systems.

The campaign started in May and relies on a different infection chain than previously observed, with LNK files deploying the payloads instead of the typical malicious Word documents seen in past attacks from the group.

Charming Kitten is also known as APT42 or Phosphorus and has launched at least 30 operations in 14 countries since 2015, according to according to Mandiant.

Google has linked the threat actor to the Iranian state, more specifically, the Islamic Revolutionary Guard Corps (IRGC).

In September 2022, the U.S. government managed to identify and charge members of the threat group.

Proofpoint reports that the threat actor has now abandoned the macro-based infection methods involving laced Word documents and instead deploys LNK files to load their payloads.

Regarding the phishing lures and social engineering methods seen in the campaign, the hackers posed as nuclear experts from the U.S. and approached targets with an offer to review drafts on foreign policy topics.

In many cases, the attackers insert other personas in the conversation to add a sense of legitimacy and establish a rapport with the target.

Second email from another fake persona (Proofpoint)

Charming Kitten’s impersonation or fake persona assumption in phishing attacks has been documented, and so has its use of ‘sock puppets’ to create realistic conversation threads.

Attacks on Windows

After gaining the target’s trust, Charming Kitten sends a malicious link that contains a Google Script macro, redirecting the victim to a Dropbox URL.

This external source hosts a password-protected RAR archive with a malware dropper that leverages PowerShell code and an LNK file to stage the malware from a cloud hosting provider.

The final payload is GorjolEcho, a simple backdoor that accepts and executes commands from its remote operators.

To avoid raising suspicion, GorjolEcho will open a PDF with a topic relevant to the discussion the attackers had with the target previously.

GorjolEcho infection chain (Proofpoint)

Attacks on macOS

If the victim uses macOS, which the hackers typically realize after they fail to infect them with the Windows payload, they send a new link to “library-store[.]camdvr[.]org” that hosts a ZIP file masquerading as a RUSI (Royal United Services Institute) VPN app.

Follow-up email sent to macOS users (Proofpoint)
Fake RUSI VPN site dropping the NokNok malware (Proofpoint)

When executing the Apple script file in the archive, a curl command fetches the NokNok payload and establishes a backdoor onto the victim’s system.

NokNok infection chain (Proofpoint)

NokNok generates a system identifier and then uses four bash script modules to set persistence, establish communication with the command and control (C2) server, and then starts exfiltrating data to it.

NokNok modules (Proofpoint)

The NokNok malware gathers system information that includes the version of  the OS, running processes, and installed applications.

NokNok encrypts all collected data, encodes it in the base64 format, and exfiltrates it.

Proofpoint also mentions that NokNok might feature more specific espionage-related functionality through other unseen modules.

The suspicion is based on code similarities to GhostEcho, previously analyzed by Check Point.

Advertisement. Scroll to continue reading.

That backdoor featured modules that allowed taking screenshots, command execution, and cleaning the infection trail. It is likely that NokNok has these functions too.

Overall, this campaign shows that Charming Kitten has a high degree of adaptability, is capable of targeting macOS systems when necessary, and highlights the growing threat of sophisticated malware campaigns to macOS users.

Source: https://www.bleepingcomputer.com/news/security/charming-kitten-hackers-use-new-noknok-malware-for-macos/

Click to comment

You May Also Like

Cyber Security

Telegram Messenger offers global, cloud-based instant messaging with several features:- Cybersecurity researchers at Securlist recently found several Telegram mods on Google Play in various...

Cyber Security

AttackCrypt, an open-source “crypter,” was recently used by cybercriminals to hide malware binaries and avoid antivirus detection. A crypter is a kind of software that can...

Cyber Security

We are glad to present the most recent news on cybersecurity in this week’s Threat and Vulnerability Roundup from Cyber Writes.  The latest attack...

Cyber Security

The cybercrime group evaded remediation efforts by installing persistent backdoors and deploying “new and novel malware.” A Chinese-linked hacking group that security researchers say...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version