Haaretz.com, the online English edition of Haaretz Newspaper in Israel, gives you breaking news, analyses and opinions about Israel, the Middle East and the Jewish World.
© Haaretz Daily Newspaper Ltd. All Rights Reserved
The Iranian nation-state actor known as TA453 has been linked to a new set of spear-phishing attacks that infect both Windows and macOS operating systems with malware.
“TA453 eventually used a variety of cloud hosting providers to deliver a novel infection chain that deploys the newly identified PowerShell backdoor GorjolEcho,” Proofpoint said in a new report.
“When given the opportunity, TA453 ported its malware and attempted to launch an Apple flavored infection chain dubbed NokNok. TA453 also employed multi-persona impersonation in its unending espionage quest.”
TA453, also known by the names APT35, Charming Kitten, Mint Sandstorm, and Yellow Garuda, is a threat group linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) that has been active since at least 2011. Most recently, Volexity highlighted the adversary’s use of an updated version of a Powershell implant called CharmPower (aka GhostEcho or POWERSTAR).
In the attack sequence discovered by the enterprise security firm in mid-May 2023, the hacking crew sent phishing emails to a nuclear security expert at a U.S.-based think tank focused on foreign affairs that delivered a malicious link to a Google Script macro that would redirect the target to a Dropbox URL hosting a RAR archive.
Present within the file is an LNK dropper that kicks off a multi-stage procedure to ultimately deploy GorjolEcho, which, in turn, displays a decoy PDF document, while covertly awaiting next-stage payloads from a remote server.
But upon realizing that the target is using an Apple computer, TA453 is said to have tweaked its modus operandi to send a second email with a ZIP archive embedding a Mach-O binary that masquerades as a VPN application, but in reality, is an AppleScript that reaches out to a remote server to download a Bash script-based backdoor called NokNok.
🔐 Privileged Access Management: Learn How to Conquer Key Challenges
Discover different approaches to conquer Privileged Account Management (PAM) challenges and level up your privileged access security strategy.
NokNok, for its part, fetches as many as four modules that are capable of…
A cyber espionage group linked to the Iranian government has been impersonating think-tank employees to phish Middle Eastern nuclear weapons experts, according to researchers at Proofpoint.
The group — called “TA453,” “Charming Kitten” or “APT35,” depending on the threat intelligence service you’re relying on — has a long track record of targeting U.S. and European government officials, politicians, think tanks and entities involved in critical infrastructure.
The latest campaign detailed by Proofpoint dates from March to May of this year and begins with benign emails that seek to establish a rapport with foreign policy researchers in the West.
Those initial emails were later followed by phishing emails that link to a password-protected DropBox URL, ostensibly to access the research. Instead, it executes .RAR and LNK files and run a PowerShell script that installs a backdoor on the victim’s system, before calling out to a cloud hosting provider for additional malware payloads.
Full infection chain for GorjolEcho, one of the malware payloads deployed by Charming Kitten (Source: Proofpoint)
Joshua Miller, senior threat researcher at Proofpoint, told SC Media the campaign appears to be extremely targeted: thus far they are aware of fewer than 10 individuals who received phishing emails from the group. Miller said their visibility over the campaign is restricted to data and follow-ups culled from Proofpoint customers, and that none were successfully infected.
It’s not the first time Charming Kitten, which U.S. officials have linked to Iran’s Islamic Revolutionary Guard Corps’ intelligence organization, has targeted think tanks and other research institutions, seemingly in an effort to gather intelligence about Western foreign policy decision-making. While the group has targeted government officials in the past, they may find it easier to obtain some of the same information they’re looking for by targeting and compromising parties at the edge of those discussions.
“When we see them go after think tanks [and] academics, basically they’re informing the policy positions of the West and governments for nuclear sanctions or diplomatic policies. The idea is that that…
Dozens of Iranian protesters and relatives of members of the terrorist Mujahedin Khalq Organization (MKO) have called upon Albanian authorities to shut down a camp that hosts anti-Iran elements and make preparation for the repatriation of their family members.
Demonstrators and members of the independent civil society organization Nejat Society converged outside the Turkish embassy in downtown Tehran, which represents Albania’s interests in the Islamic Republic, and appreciated the latest raids by Albanian police forces on the Ashraf-3 camp in the northwest of the capital Tirana.
They underlined that the camp serves as a place, where malicious plots and cyber attacks are being orchestrated, and various forms of money laundering and human rights abuse are being carried out.
The protesters released a communiqué during the gathering, asking Albanian authorities to shut down the camp and put the notorious ringleaders of the MKO terrorist cult on trial.
The relatives of MKO members also urged the Albanian government not to allow leaders of the cult to use their loved ones as human shields against security forces.
They also asked Albanian officials not to fall into the psychological warfare trap of the MKO and let the terrorists abuse them, as the cult is enormously hated by the entire Iranian nation and even opponents of the Islamic establishment.
“After seven years of supporting the MKO, the Albanian government came to…