Charming Kitten hackers employ latest NokNok malware to target macOS users

Charming Kitten's new approach and targeting

Charming Kitten hackers employ latest NokNok malware to target macOS usersMac users targeted by NokNok malware developed by hackers tied to Iran

Security researchers have discovered a new campaign by the infamous Charming Kitten APT group, also known as APT42 or Phosphorus. The campaign, which began in May, highlights the group's evolving tactics and introduces a new malware variant called 'NokNok' that is specifically designed to target macOS systems. This development indicates a shift in Charming Kitten's infection chain, as LNK files are now used instead of the previously observed malicious Word documents.

Since 2015, Charming Kitten, a threat actor with strong ties to the Iranian state, particularly the Islamic Revolutionary Guard Corps (IRGC), has been active. According to Mandiant,[1] they have carried out more than 30 operations in 14 countries. Notably, the US government successfully identified and charged several members of the group in September 2022,[2] shedding light on their activities and mode of operation.

Modus operandi and social engineering techniques

Charming Kitten's most recent campaign uses sophisticated phishing lures and social engineering techniques. The attackers pretended to be US nuclear experts, approaching their targets with an enticing offer to review drafts on foreign policy issues. Threat actors introduced additional personas into the conversation to establish credibility and build rapport, creating the illusion of a legitimate discussion.

Charming Kitten gained the target's trust before deploying a malicious link containing a Google Script macro that redirected victims to a Dropbox URL. A password-protected RAR archive hosted on an external source is used as a malware dropper in this case. To stage the malware from a cloud hosting provider, PowerShell code and an LNK file are used. GorjolEcho, the final payload, functions as a simple backdoor capable of executing commands received from remote operators.

If Charming Kitten detects a macOS user, it sends a new link to “library-store[.]camdvr[.]org,” a website hosting a ZIP file disguised as an RUSI (Royal United Services Institute) VPN app. When the Apple script file within the archive is executed, a curl command is issued, allowing the NokNok payload to install a backdoor in the victim's system. To set persistence, communicate with the command and control (C2) server, and exfiltrate data, NokNok generates a system identifier and employs four bash script modules. This malware gathers system information such as the operating system version, running processes, and installed applications, encrypts it, encodes it in base64 format, and then exfiltrates it.

Implications of the malicious campaign

The emergence of the NokNok malware, as well as Charming Kitten's adoption of new infection techniques, demonstrate the group's adaptability and persistence in targeting macOS systems. While the APT42 group was previously associated with macro-based infection methods involving Word documents,[3] their recent shift to LNK files demonstrates their willingness to evolve and avoid detection.

The presence of NokNok opens the door to previously unseen modules containing additional espionage-related functionality. Code similarities between NokNok and Check Point's previously analyzed GhostEcho backdoor suggest the possibility of capabilities such as taking screenshots, executing commands, and erasing traces of the infection. This highlights the sophistication and adaptability of Charming Kitten's malware campaigns.

This campaign's implications go beyond Charming Kitten and their specific targets. It highlights the growing threat to macOS users as threat actors develop and deploy sophisticated malware. As macOS systems gain popularity, users and organizations must remain vigilant, regularly update their security measures, and employ proactive defense strategies.

Finally, Charming Kitten's use of the NokNok malware and their strategic adaptation of infection techniques highlight the ongoing cybersecurity challenges faced by macOS users. It serves as a reminder that the threat landscape is constantly changing, necessitating constant vigilance and proactive measures to protect against sophisticated attacks.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions