An Iran-linked advanced persistent threat (APT) group known as APT35, also referred to as Charming Kitten, TA453, and Tortoiseshell, has recently developed new Mac malware named “NokNok” to target individuals in civil society. The discovery of this malware was made by cybersecurity researchers at Proofpoint who found evidence of a targeted cyberattack carried out by the state-sponsored cyber espionage group.
The attack began with the group sending a conversation lure to a public media contact for a nuclear security expert at a US-based think tank focused on foreign affairs. The lure email, supposedly from a senior fellow with the Royal United Services Institute, solicited feedback on a project called “Iran in the Global Security Context.” It also requested permission to send a draft for review. Following a series of payload-less email interactions with the target to build trust, the attackers eventually sent a malicious link to a Google Script macro which redirected the target to a Dropbox URL. This URL contained a password-protected .RAR file that, once accessed, downloaded the NokNok malware onto the target’s Mac device.
This incident is believed to be part of a larger campaign by APT35 that has seen the group enhance its cyberattack arsenal. Another recent research by Volexity also detailed a spear-phishing campaign carried out by APT35 against an Israeli journalist using a “draft report” lure. This campaign utilized a similar infection routine, delivering a password-protected .RAR file that contained a malicious LNK file which downloaded a backdoor onto the target’s system. Just like the attack on the think tank, the Israeli campaign also involved benign initial emails to build trust with the target.
It is worth noting that Volexity refers to the Windows code used in their campaign as PowerStar, while Proofpoint identifies it as GorjoEcho. Furthermore, Proofpoint observed APT35 attempting to deliver GorjoEcho but pivoting to the Mac-specific infection chain using NokNok when faced with a non-Windows environment.
The use of .RAR and .LNK files in these attacks marks a departure from APT35’s usual tactics of employing VBA macros or remote template injection. The disabling of macros downloaded from the internet by default in Microsoft’s software has forced threat actors to adopt new techniques for malware delivery. The use of LNK files is one such adaptation, as threat actors seek alternative methods to trick users into enabling malicious code.
Although LNK files may not be inherently more dangerous than Word macros, their inclusion in attack chains may increase the chances of human interaction and detection. For example, attackers may send an email containing a PDF attachment with a URL leading to a password-protected zip file that contains an LNK file for malware installation. Microsoft’s measures against macros have pushed threat actors like APT35 to experiment with more complex attack chains.
Based on direct code similarities with previous activity and similarities in tactics, techniques, and procedures, Proofpoint confidently attributes this campaign to APT35. This group is believed to operate in support of the Islamic Revolutionary Guard Corps (IRGC), specifically the IRGC Intelligence Organization (IRGC-IO). The motive behind targeting specific Israeli individuals in this latest campaign is likely connected to the ongoing Joint Comprehensive Plan of Action negotiations and Iran’s desire to counter its increasing isolation in the international community.
APT35, also known as Charming Kitten, typically targets individuals and organizations in the Middle Eastern military, diplomatic, and government sectors, as well as in the media, energy, defense industrial base, and various other sectors. The group is well-resourced and relies on spear-phishing as its primary method of initial compromise.
As APT35 continues to evolve its tactics and techniques, cybersecurity experts are closely monitoring their activities to ensure the protection of individuals and organizations potentially targeted by this threat group.