Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa.

Iran-linked APT35 group crafted specific Mac malware when targeting a member of the media with new tools to add backdoors.

A Mac Powerbook laptop screen cover with wires behind
Source: Technoroida via Alamy Stock Photo

The Iran-linked advanced persistent threat (APT) known as APT35 (aka Charming Kitten, TA453, and Tortoiseshell) has developed specially crafted Mac malware in order to carry out targeted cyberattacks on civil society members.

According to recent research by Proofpoint, the Mac malware, dubbed "NokNok," was discovered after the state-sponsored cyber espionage group sent a conversation lure to a public media contact for a nuclear security expert at a US-based think tank focused on foreign affairs, claiming to be a senior fellow with the Royal United Services Institute.

The email solicited feedback on a project purportedly called "Iran in the Global Security Context," and requested permission to send a draft for review. The attackers instigated a series of payload-less email interactions with the intended target to build up trust and a rapport, after which they "delivered a malicious link to a Google Script macro that would redirect the target to a Dropbox URL." There, the target could access a password-protected .RAR file containing a malicious LNK file, which, in turn, downloaded NokNok.

An Evolution in APT35 Tactics

The attack is likely part of a broader campaign by the group that, overall, features an updated cyberattack arsenal.

Last week, research on APT35 published by Volexity detailed a spear-phishing campaign against an Israeli journalist with a "draft report" lure, which also used the infection routine of delivering a password-protected .RAR file containing a malicious LNK file that downloads a backdoor. The attack also, like the think-tank incident, featured an opening series of benign emails sent by the attackers to earn trust with the target.

In that campaign, the payload was a Windows code that Volexity researchers call PowerStar. Joshua Miller, senior threat researcher at Proofpoint, says that his firm has also tracked the Windows threat, calling it "GorjoEcho." 

"GorjolEcho is Proofpoint's name for Volexity's PowerStar," he says. "And NokNok is almost certainly the Mac version of PowerStar/GorjolEcho."

Proofpoint observed APT35 attempting to deliver GorjolEcho, but when faced with a non-Windows environment, it pivoted to the Apple-specific infection chain using NokNok, he adds.

Avoiding Microsoft's Macros Protections

The use of .RAR and .LNK files differs from APT35's typical infection chain of using VBA macros or remote template injection, Miller notes. He says Microsoft's default disabling of macros downloaded from the Internet has led to threat actors adopting new tactics, techniques, and procedures for malware delivery.

"This includes adopting LNK files as part of overall attack chains. No longer does the 'click to enable macros' trick work effectively for threat actors delivering malware," he says.

He claims that using LNK files are not necessarily more dangerous than Word macros, as attack chains that include LNKs may require more human interaction, thereby potentially introducing more opportunities for detection. "For example, an email may contain a PDF attachment that includes a URL leading to a password-protected zip that contains an LNK to install malware," he says, "Microsoft effectively making macro-enabled documents much less useful for malware delivery has forced threat actors to adapt and try new things, including much more convoluted attack chains."

Miller adds, "In the case of APT35, LNKs are an example of their continuous development to increase the effectiveness of their malware delivery. Other attempts have historically included macros and remote template injection."

Identifying APT35 as Responsible

Proofpoint said with "high confidence" that the campaign is attributed to APT35, based on direct code similarities with previous activity, and similarities in overall campaign tactics, techniques, and procedures.

"Proofpoint continues to assess that TA453 operates in support of the Islamic Revolutionary Guard Corps (IRGC), specifically the IRGC Intelligence Organization (IRGC-IO). This assessment is based on a variety of evidence, including overlaps in unit numbering between Charming Kitten reports and IRGC units," researchers noted. 

Why these specific Israeli targets in the latest campaign? Proofpoint's blog pointed out that as Joint Comprehensive Plan of Action negotiations continue and Tehran finds itself increasingly isolated within its sphere of influence, APT35 "is focusing a large majority of its targeting efforts against the experts likely informing these foreign policies."

According to a recent blog post by Mandiant, APT35 typically targets Middle Eastern military, diplomatic, and government personnel; organizations in the media, energy, and defense Industrial base; and engineering, business services, and telecommunications sectors. In particular, "the breadth and scope of APT35's operations, particularly as it relates to its complex social engineering efforts, likely indicates that the group is well resourced in other areas" and it "typically relies on spear-phishing to initially compromise an organization."

About the Author(s)

Dan Raywood, Senior Editor, Dark Reading

With more than 20 years experience of B2B journalism, including 12 years covering cybersecurity, Dan Raywood brings a wealth of experience and information security knowledge to the table. He has covered everything from the rise of APTs, nation-state hackers, and hacktivists, to data breaches and the increase in government regulation to better protect citizens and hold businesses to account. Dan is based in the U.K., and when not working, he spends his time stopping his cats from walking over his keyboard and worrying about the (Tottenham) Spurs’ next match.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights