The Sophisticated Mac Malware Used by APT35 in Targeted Cyberattacks
An Overview of the Cyberattack
APT35, a state-sponsored Iranian cyber espionage group also known as Charming Kitten, TA453, and Tortoiseshell, has developed custom Mac malware called “NokNok” to carry out targeted cyberattacks on individuals in civil society. Recent research by cybersecurity firm Proofpoint revealed that APT35 sent a convincing email to a public media contact of a US-based think tank focused on foreign affairs, posing as a senior fellow with the Royal United Services Institute. The email solicited feedback on a project called “Iran in the Global Security Context” and requested permission to send a draft for review.
The attackers engaged in a series of benign email interactions with the intended target to build trust. Eventually, they provided a malicious link to a Google Script macro, which redirected the target to a Dropbox URL. At the Dropbox location, the target could access a password-protected .RAR file containing a malicious LNK file. This LNK file, in turn, downloaded the NokNok malware onto the victim’s Mac.
Evolution of APT35 Tactics
This attack appears to be part of a broader campaign by APT35, which has recently updated its cyberattack arsenal. Prior research by Volexity highlighted a spear-phishing campaign against an Israeli journalist that used a similar infection routine, delivering a password-protected .RAR file containing a malicious LNK file. In that instance, the payload was a Windows code called PowerStar. Proofpoint researchers have tracked the Windows threat as “GorjoEcho” and have identified NokNok as the Mac version of PowerStar/GorjoEcho.
The Changing Tactics of APT35
The use of .RAR and .LNK files is a departure from APT35‘s typical infection chain involving VBA macros or remote template injection. Microsoft’s default disabling of macros downloaded from the Internet has forced threat actors to adopt new techniques for malware delivery. According to Joshua Miller, a senior threat researcher at Proofpoint, the use of LNK files in attack chains requires more human interaction, potentially increasing the chances of detection. Miller explains that threat actors have resorted to more convoluted attack chains, such as sending emails with PDF attachments containing URLs leading to password-protected zip files that include an LNK file to install malware.
The Attribution of APT35 and Their Targets
Proofpoint confidently attributes this campaign to APT35 based on code similarities with previous activities and similarities in overall campaign tactics, techniques, and procedures. The cybersecurity firm believes that APT35 operates in support of the Islamic Revolutionary Guard Corps (IRGC), specifically the IRGC Intelligence Organization (IRGC-IO). The group’s targets align with its objectives and usually include Middle Eastern military, diplomatic, and government personnel, media organizations, energy and defense industries, as well as engineering, business services, and telecommunications sectors.
The Motivation Behind the Targeting of Israeli Experts
According to Proofpoint, APT35 has focused a significant portion of its targeting efforts on experts who are likely informing foreign policies related to the ongoing Joint Comprehensive Plan of Action negotiations. As Tehran finds itself increasingly isolated within its sphere of influence, APT35 aims to gather intelligence from these experts to bolster Iran’s position. The group’s complex social engineering efforts suggest that it is well-resourced and well-equipped to carry out its operations effectively.
Expert Recommendations for Protecting Against APT35
Enhancing Email Security Measures
Given that APT35 primarily relies on spear-phishing to initiate attacks, organizations and individuals should strengthen their email security measures. This includes implementing robust spam filters, using email authentication protocols such as DMARC, DKIM, and SPF, and providing cybersecurity training to employees to increase awareness of phishing techniques.
Implementing Multi-Factor Authentication
To protect against unauthorized access, organizations and individuals should consider implementing multi-factor authentication (MFA) on all critical systems and accounts. MFA adds an extra layer of security, requiring users to provide additional verification beyond their password, such as a fingerprint or unique code generated by an app.
Maintaining Up-to-Date Software and Patching
To mitigate vulnerabilities that threat actors may exploit, it is essential to regularly update software and promptly apply security patches. This includes operating systems, applications, and security software. Keeping systems up-to-date reduces the risk of attackers exploiting known vulnerabilities.
Implementing Endpoint Protection Solutions
Endpoint protection solutions, such as antivirus and anti-malware software, can help detect and prevent malicious activities on individual devices. It is crucial to select reputable and up-to-date security software and regularly update virus definitions to ensure maximum protection.
Exercising Caution with Email Attachments and Links
Users should exercise caution when opening email attachments or clicking on links, particularly from unknown or suspicious sources. It is advisable to verify the authenticity of the sender before interacting with any email attachments or embedded links. Additionally, users should avoid entering sensitive information on unfamiliar websites or pages.
Conclusion
The discovery of the custom Mac malware NokNok and its usage by APT35 highlights the evolving tactics of state-sponsored cyber espionage groups. APT35‘s ability to adapt its attack techniques to bypass security measures demonstrates the need for continuous vigilance and robust cybersecurity practices. Organizations and individuals should remain proactive in implementing security measures to protect against these advanced threats. By enhancing email security, implementing multi-factor authentication, maintaining up-to-date software, implementing endpoint protection solutions, and exercising caution with email attachments and links, the risk of falling victim to APT35 and similar threat actors can be significantly reduced.
<< photo by cottonbro studio >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- “Mac Malware-for-Hire Epidemic: A Dangerous Environment for Cryptocurrency Users”
- Breaking Down the Israel-UAE Cybersecurity Alliance Against DDoS Attacks
- “Unveiling the Vulnerabilities: TSMC Exposes Security Flaws After $70M LockBit Breach”
- Russian Telecom Confirms Hack Following Boastful Wagner-Backed Group’s Attack
- Rowhammer Redux: The Menace of Memory Attacks Returns to Haunt Computing
- The Essential Elements: 10 Must-Have Features for an Effective API Security Service
- Unmasking the Mirages: Exploring the Threat of Deepfake Quantum AI Investment Scams
- Unleashing the Power of Zero Trust: Securing Real-World Defense Against Digital Attacks
- Reimagining Risk Assessment: Tapping into Paths and Identity for Enhanced Exposure Management
- Navigating the Cyber Battleground: A Closer Look at the Global Hacking Competition
- The Future of Retail: Harnessing the Power of SaaS Stacks
- Mozilla Introduces Innovative Feature to Safeguard User Security by Blocking Risky Add-Ons on Specific Websites
- Revolut’s Costly Lesson: How Hackers Exploited Payment Systems to Steal $20 Million
- The Role of Threat Intelligence in Risk Mitigation
- The Rise of Cyware: How $30M Investment Fuels Threat Intel Infrastructure Tech
- Harnessing the Power of Data: The Key to Maximizing CTI with AI
