NokNok Mac Malware

The nation-state cybercrime actor identified as APT35 from Iran has been associated with a wave of targeted spear-phishing attacks affecting both Windows and macOS operating systems. These attacks aim to infiltrate systems with specialized malware tools. Analysis of the APT35 attacks revealed that the hackers employed various cloud hosting providers to establish a unique infection chain.

The cybercriminals also employed two previously unknown malware threats. On Windows systems, APT35 utilized a newly discovered PowerShell backdoor named GorjolEcho. Alternatively, if the victims was found to be using an Apple device, the hackers switched to a modified infection chain that involved a Mac malware threat tracked as NokNok.

This shows the actor's attempts to exploit vulnerabilities specific to macOS.

The APT35 Cybercrime Group Continues to Evolve Its Spear-Phishing Techniques

APT35, also known as Charming Kitten, TA453, Mint Sandstorm, and Yellow Garuda, is a prominent threat group with ties to Iran's Islamic Revolutionary Guard Corps (IRGC). This group has been active since at least 2011, engaging in various cyber operations targeting individuals and organizations. In their relentless pursuit of espionage activities, APT35 employed a tactic known as multi-persona impersonation, which involves the threat actors assuming multiple identities to deceive targets and gain unauthorized access to sensitive information.

These sophisticated techniques employed by APT35 highlight their ongoing efforts to carry out targeted cyber espionage operations. The group strategically selects high-profile targets and employs various tactics, such as phishing and the utilization of custom-built tools, to compromise systems and gain unauthorized access to sensitive information. APT35 has been observed to have updated its tactics by utilizing an enhanced version of a PowerShell implant known as POWERSTAR, also referred to as GhostEcho or CharmPower.

In a specific attack sequence that occurred in mid-May 2023, the threat actors from APT35 launched a phishing campaign. Their target was a nuclear security expert associated with a U.S.-based think tank focusing on foreign affairs. The attack entailed sending deceptive emails containing a malicious link disguised as a Google Script macro. Once clicked, the link redirected the target to a Dropbox URL hosting a RAR archive.

The APT35 Employed Different Attack Chains to Compromise Apple Users with the NokNok Malware

If the chosen target is utilizing an Apple device, APT35 reportedly adjusted its methods and executed a secondary tactic. This involved sending a second email containing a ZIP archive that incorporated a Mach-O binary file. The file disguised itself as a VPN application, but in reality, it functioned as an AppleScript. When executed, this script establishes a connection with a remote server to initiate the download of a backdoor called NokNok.

The NokNok backdoor, upon installation, retrieves up to four modules that possess various capabilities. These modules enable the collection of information such as running processes, installed applications, and system metadata. Additionally, they facilitate the establishment of persistence within the compromised system by utilizing LaunchAgents.

Notably, the functionality of these modules bears a striking resemblance to the modules associated with POWERSTAR, a previously identified tool employed by APT35. This indicates a significant overlap in the capabilities and purpose of the two malware strains. Furthermore, NokNok exhibits code similarities with macOS malware that was previously attributed to the same cybercrime group in 2017.

To further enhance their tactics, the hackers also established a fraudulent file-sharing website. This website likely serves as a way to fingerprint visitors, gather information about potential victims, and act as a tracking mechanism to monitor the success of their attacks.

These adaptive techniques employed by TA453 demonstrate their ongoing efforts to target Apple users and exploit their systems. It underscores the importance of maintaining strong security practices, such as regularly updating software, employing reliable antivirus solutions, and exercising caution when interacting with email attachments or downloading files from untrusted sources. By staying informed about evolving threats and implementing comprehensive security measures, users can better protect themselves against the activities of threat actors like APT35.