CIO News Hubb
Advertisement
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact
No Result
View All Result
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact
No Result
View All Result
CIO News Hubb
No Result
View All Result
Home Information Security

Iranian Hackers’ Sophisticated Malware Targets Windows and macOS Users

admin by admin
July 7, 2023
in Information Security


Jul 06, 2023Ravie LakshmananEndpoint Security / Malware

The Iranian nation-state actor known as TA453 has been linked to a new set of spear-phishing attacks that infect both Windows and macOS operating systems with malware.

“TA453 eventually used a variety of cloud hosting providers to deliver a novel infection chain that deploys the newly identified PowerShell backdoor GorjolEcho,” Proofpoint said in a new report.

“When given the opportunity, TA453 ported its malware and attempted to launch an Apple flavored infection chain dubbed NokNok. TA453 also employed multi-persona impersonation in its unending espionage quest.”

TA453, also known by the names APT35, Charming Kitten, Mint Sandstorm, and Yellow Garuda, is a threat group linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) that has been active since at least 2011. Most recently, Volexity highlighted the adversary’s use of an updated version of a Powershell implant called CharmPower (aka GhostEcho or POWERSTAR).

In the attack sequence discovered by the enterprise security firm in mid-May 2023, the hacking crew sent phishing emails to a nuclear security expert at a U.S.-based think tank focused on foreign affairs that delivered a malicious link to a Google Script macro that would redirect the target to a Dropbox URL hosting a RAR archive.

Windows macOS Malware

Present within the file is an LNK dropper that kicks off a multi-stage procedure to ultimately deploy GorjolEcho, which, in turn, displays a decoy PDF document, while covertly awaiting next-stage payloads from a remote server.

But upon realizing that the target is using an Apple computer, TA453 is said to have tweaked its modus operandi to send a second email with a ZIP archive embedding a Mach-O binary that masquerades as a VPN application, but in reality, is an AppleScript that reaches out to a remote server to download a Bash script-based backdoor called NokNok.

UPCOMING WEBINAR

🔐 Privileged Access Management: Learn How to Conquer Key Challenges

Discover different approaches to conquer Privileged Account Management (PAM) challenges and level up your privileged access security strategy.

Reserve Your Spot

NokNok, for its part, fetches as many as four modules that are capable of gathering running processes, installed applications, and system metadata as well as setting persistence using LaunchAgents.

The modules “mirror a majority of the functionality” of the modules associated with CharmPower, with NokNok sharing some source code overlaps with macOS malware previously attributed to the group in 2017.

Also put to use by the actor is a bogus file-sharing website that likely functions to fingerprint visitors and act as a mechanism to track successful victims.

“TA453 continues to adapt its malware arsenal, deploying novel file types, and targeting new operating systems,” the researchers said, adding the actor “continues to work toward its same end goals of intrusive and unauthorized reconnaissance” while simultaneously complicating detection efforts.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
Previous Post

Innatearchitecture ~ Future of CIO

Next Post

What Are the Benefits of Chatbots?

Related Posts

Information Security

New Critical Security Flaws Expose Exim Mail Servers to Remote Attacks

by admin
September 30, 2023
Information Security

Manage AWS Security Hub using CloudFormation

by admin
September 30, 2023
Information Security

Is that how it works? Hacking and scamming in popular TV shows

by admin
September 30, 2023
Information Security

Cisco Warns of Vulnerability in IOS and IOS XE Software After Exploitation Attempts

by admin
September 29, 2023
Information Security

Get the full benefits of IMDSv2 and disable IMDSv1 across your AWS infrastructure

by admin
September 29, 2023
Next Post

What Are the Benefits of Chatbots?

Recommended

InnovationBreakthrough Chapter V Innovation Risk Management ~ Future of CIO

September 30, 2023

New Critical Security Flaws Expose Exim Mail Servers to Remote Attacks

September 30, 2023

Manage AWS Security Hub using CloudFormation

September 30, 2023

Is that how it works? Hacking and scamming in popular TV shows

September 30, 2023

InnovationBreakthrough Introduction:Chapter 3 Business Model Innovation ~ Future of CIO

September 29, 2023

Cisco Warns of Vulnerability in IOS and IOS XE Software After Exploitation Attempts

September 29, 2023

© CIO News Hubb All rights reserved.

Use of these names, logos, and brands does not imply endorsement unless specified. By using this site, you agree to the Privacy Policy and Terms & Conditions.

Navigate Site

  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact

Newsletter Sign Up

No Result
View All Result
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact

© 2022 CIO News Hubb All rights reserved.