Cybersecurity researchers at Proofpoint have detected a recent espionage campaign aimed at Western think tank members involving using backdoors. The campaign has been attributed to the Iran regime’s state-sponsored actors who displayed their capability to target both Apple and Windows-powered devices, seamlessly adapting to the respective operating systems.
In a report published on the Proofpoint blog, researchers uncovered the activities of a group known as TA453, also known as Charming Kitten, Mint Sandstorm, or APT42. This group targeted nuclear security experts in the United States through phishing emails. The emails impersonated renowned professors, intellectuals, and researchers involved in nuclear energy studies, requesting victims’ approval to send a research paper.
The report includes a screenshot of an email where the group posed as Professor Karl Roberts, a Senior Fellow and Deputy Director of Terrorism and Conflict at RUSI (Royal United Services Institute). Victims who agreed to receive the supposed research paper were instead exposed to GorjolEcho, a recently discovered PowerShell backdoor as described by Proofpoint. When the attackers realized that their victims were using Mac devices, they quickly shifted their approach and attempted to distribute NokNok, a tailored malware chain for Apple devices.
According to Proofpoint, NokNok can fetch four modules, enabling it to collect information on running processes, install applications, gather system metadata, and establish persistence. These modules bear a resemblance to those found in CharmPower, with overlapping codes identified by the researchers. The group was also observed sharing a counterfeit website, potentially designed to collect victim fingerprints, although this couldn’t be confirmed with certainty.
TA453, known as Charming Kitten, operates under the direct command of the Islamic Revolutionary Guard Corps (IRGC) and the IRGC Intelligence Organization (IRGC-IO), establishing it as a state-sponsored actor working on behalf of the Tehran regime. Given the Iran regime’s ongoing negotiations with Western powers regarding its nuclear weapons and facilities development, it suggests the regime is utilizing all available means to secure a favorable negotiating position.
Proofpoint states that as the Joint Comprehensive Plan of Action (JCPOA) negotiations progress and Tehran faces increasing isolation, TA453 is intensifying its targeting efforts towards experts likely influencing foreign policies.
The report highlights the agility of Charming Kitten, demonstrating its ability to transition quickly between Windows and Mac malware to obtain valuable information. The group also employed multiple identities of recognized nuclear researchers to lend credibility to the campaign. This reinforces warnings from cybersecurity experts that even email chains involving multiple participants should not always be trusted.
TA453 has been active since at least 2017 and primarily targets academics, researchers, diplomats, dissidents, journalists, and human rights workers. The group typically uses web beacons in message bodies before attempting to steal the target’s credentials. They engage in benign conversations with victims for weeks before introducing any malware.
Interestingly, TA453’s targets extend beyond computers, as they attempted to lure individuals into the open with the intention of kidnapping them. Most targets are in the Western world, including some Israelis.
TA453 demonstrates a strong commitment to evading detection and minimizing disruptions from threat researchers. The group modifies its infection chains extensively, employing Google Scripts, Dropbox, and CleverApps in a multi-cloud strategy to reduce the risk of detection.
The agility of the threat actors, particularly their shift towards targeting Mac-powered devices, has been highlighted. The incident serves as a reminder of the adaptability of threat actors, as they sent LNK files instead of Microsoft Word documents with macros and swiftly adjusted their tactics to target macOS when the opportunity arose.
As Macs gain popularity in enterprise environments, they become a more attractive target for threat actors, as noted by the report. The increasing usage of Macs corresponds to an increased appeal for malicious actors.
Joshua Miller, a senior threat researcher at Proofpoint, described the campaign as highly targeted, with only a small number of individuals identified as recipients of phishing emails from TA453. Miller also noted that no compromises were reported among the targeted individuals.
The Iranian regime’s history of cyber activities is marked by a series of threats and attacks. Over the years, Iran has emerged as a significant player in cyber warfare, employing state-sponsored and non-state actors to carry out its objectives.
The regime’s cyber operations have targeted a wide range of entities, including governments, corporations, and individuals. Notable incidents include the widespread use of spear-phishing campaigns by groups like APT34 and APT33. Iran regime’s cyber activities have often been motivated by political and strategic goals, seeking to exert influence, gather intelligence, disrupt adversaries, and advance its national interests.