This new Mac malware campaign targets nuclear experts

Date:
Fri, 07 Jul 2023 13:09:17 +0000

Description:
Iranian state-sponsored actors are at it again, and now are time pivoting quickly to Mac when learning the victim's OS.

FULL STORY ======================================================================

Cybersecurity researchers from Proofpoint have recently observed a new espionage campaign in which Iranian state-sponsored actors tried to target Western thinktank members with backdoors.

What makes this campaign special is the fact that the attackers targeted both Apple and Windows-powered endpoints and were quick to pivot to the
appropriate OS when needed.

In a report published on the Proofpoint blog, the researchers said how they uncovered the group, known as TA453 (also known as Charming Kitten, Mint Sandstorm or APT42) targeting US-based nuclear security experts with phishing emails. In these emails, the attackers would assume the identity of known professors, thinkers, and other intellectuals engaged in nuclear energy research, and would ask the victim to approve the sending of a research
paper.

In a screenshot of an email, shared in the report, the group was seen impersonating professor Karl Roberts, Senior Fellow and Deputy Director of Terrorism and Conflict at RUSI (Royal United Services Institute).

Victims that agree to receive the paper would actually get GorjolEcho, which Proofpoint describes as a newly identified PowerShell backdoor. When the attackers realized their victims were using a Mac device, they quickly
pivoted and tried to distribute NokNok - an Apple flavored infection chain.

NokNok, Proofpoint argues, is capable of fetching four modules, which can gather running processes, install applications, harvest system metadata, and achieve persistence. These modules are almost identical to the ones found in CharmPower, as the researchers found overlapping code between the two. Finally, the group was seen sharing a fake website that is most likely set up to harvest victim fingerprints, although the researchers could not be 100% certain of this. Analysis: Why does it matter?

If Proofpoints assessments are correct, TA453 is under the direct command of the Islamic Revolutionary Guard Corps (IRGC), and the IRGC Intelligence Organization (IRGC-IO). In that case, TA453 is a state-sponsored actor
working on behalf of the Teheran government. As Teheran is currently engaged in negotiations with Western powers over its nuclear weapons and facilities development, that would mean that Iran is using all available means to establish as good of a negotiating position as it possibly can.

As Joint Comprehensive Plan of Action (JCPOA) negotiations continue and
Tehran finds itself increasingly isolated within its sphere of influence, TA453 is focusing a large majority of its targeting efforts against the experts likely informing these foreign policies, Proofpoint says.

The report also demonstrates the agility of Charming Kitten, and how fast it can shuffle between Windows and Mac malware , in search of valuable information. Furthermore, in the attack, the group used multiple identities
of known nuclear researchers to try and add credibility to the entire campaign. It reinforces recent warnings made by cybersecurity experts that even email chains, in which multiple people are involved, shouldnt always be trusted.

TA453 is a known threat actor, one thats been active since at least 2017, and probably even before that. Proofpoint has been tracking it for years now, and concluded that the group mostly targets academics, researchers, diplomats, dissidents, journalists, and human rights workers. Its MO usually includes
web beacons in message bodies, before trying to steal their targets credentials. Usually, the attackers would engage in benign conversations with their victims for weeks, before trying to slip in any malware.

But the group isnt targeting just peoples computers. Apparently, last year it tried to lure some people out in the open, in order to kidnap them. Most of its targets are in the Western world, with some being Israelis, as well. What have others said about the campaign?

In its writeup on the story, CybersecurityNews stressed how far the threat actor was willing to go to avoid being detected, and what its capable of
doing in order to limit disruptions from threat researchers.

To evade detection efforts and carry out cyber espionage operations against its target of interest, TA453 continues to dramatically modify its infection chains, the publication states. The employment of Google Scripts, Dropbox,
and CleverApps shows that TA453 continues to adhere to a multi-cloud strategy in its efforts to probably limit disruptions from threat hunters, it concluded.

TechCentral , on the other hand, focused on the threat actors agility, as well as the fact that Mac-powered devices are being increasingly targeted.

The incident serves as a reminder of the adaptability of the threat actors, the publication states. In this instance, LNK files were sent instead of Microsoft Word documents with macros, and swiftly ported to macOS when the opportunity arose.

As for Apple, the report states Macs are becoming progressively more popular in the enterprise. Hence, they became correspondingly more of a target for threat actors.

Discussing the findings with SC Media, senior threat researcher at
Proofpoint, Joshua Miller, said the campaign appears to be extremely
targeted, as no more than 10 people were identified having received phishing emails from the group. Miller also added that no one was actually
compromised. Go deeper

If you want to learn more, make sure to read our in-depth guide on what phishing is , as well as everything you need to know about phishing . You should also check out our guide for the best ID theft protection , as well as best free antivirus programs . Check out the best firewalls right now



======================================================================
Link to news story: https://www.techradar.com/pro/this-new-mac-malware-campaign-targets-nuclear-ex perts


--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)