APT42 malware campaign targets Windows and macOS
Iran-linked threat actor APT42 has been identified as the source of a recent malware campaign that targets both Windows and macOS operating systems.
APT42, also known as Charming Kitten, PHOSPHORUS and TA453, is a notorious nation-state actor known for its cyber espionage activities.
In May 2023, APT42 introduced a new technique in their attack methodology by utilizing LNK infection chains instead of the usual Microsoft Word documents with macros.
The campaign started with spear-phishing emails that appeared to be benign conversations, impersonating a senior fellow from the Royal United Services Institute (RUSI) to a public media contact of a US-based think tank focused on foreign affairs, specifically nuclear security.
The emails requested feedback on a project named “Iran in the Global Security Context” and sought permission to send a draft for review. The initial email mentioned the involvement of other prominent nuclear security experts previously impersonated by APT42, along with the offer of an honorarium.
The analysis published by Proofpoint reveals that the threat actor utilized various cloud hosting providers to deploy a new PowerShell backdoor named GorjolEcho, which served as their primary payload.
“When given the opportunity, TA453 ported its malware and attempted to launch an Apple-flavored infection chain dubbed NokNok by Proofpoint. TA453 also employed multi-persona impersonation in its unending espionage quest.” - Proofpoint
The researchers noted that APT42 deviated from its typical infection chain involving VBA macros or remote template injection, opting for a .rar archive and an LNK file for malware distribution. Upon opening the LNK file, PowerShell was executed, which downloaded additional stages from a cloud hosting provider.
The final stage involved the deployment of the GorjolEcho backdoor, which disguised itself as a decoy PDF document while awaiting instructions from the command-and-control (C2) server.
On macOS systems, APT42 followed up with a second email containing a ZIP archive that embedded a Mach-O binary masquerading as a VPN application.
This binary was actually an AppleScript that established a connection with the C2 server and downloaded a Bash script-based backdoor named NokNok. The NokNok backdoor maintained persistence by using LaunchAgents.
“NokNok is almost certainly a port or evolution of the aforementioned GorjolEcho and is intended to serve as an initial foothold for TA453 intrusions.” - Proofpoint
The NokNok backdoor exhibited a modular structure, with four identified modules responsible for gathering information on running processes, installed applications, and system metadata. The backdoor ensured persistence by utilizing LaunchAgents. It is likely that APT42 operates additional espionage-focused modules for both GorjolEcho and NokNok, as evidenced by code similarities with previously identified malware variants.
Proofpoint’s report includes Indicators of Compromise (IoCs) to help organizations identify potential APT42 activity and take appropriate defensive measures.
Indicators of Compromise (IoCs)
| HASH/Domain/IP |
|---|
| 464c5cd7dd4f32a0893b9fff412b52165855a94d193c08b114858430c26a9f1d |
| ddead6e794b72af26d23065c463838c385a8fdff9fb1b8940cd2c23c3569e43b |
| 1fb7f1bf97b72379494ea140c42d6ddd53f0a78ce22e9192cfba3bae58251da4 |
| e98afa8550f81196e456c0cd4397120469212e190027e33a1131f602892b5f79 |
| 5dc7e84813f0dae2e72508d178aed241f8508796e59e33da63bd6b481f507026 |
| b6916b5980e79a2d20b4c433ad8e5e34fe9683ee61a42b0730effc6f056191eb |
| acfa8a5306b702d610620a07040262538dd59820d5a42cf01fd9094ce5c3487c |
| library-store[.]camdvr[.]org |
| 144.217.129[.]176 |
| filemanager.theworkpc[.]com |
| fuschia-rhinestone.cleverapps[.]io |