Proofpoint is a cybersecurity company that provides solutions to protect organizations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organizations of all sizes, including more than half of the Fortune 1000, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web.
“Welcome to New York: Exploring TA453’s Foray into LNKs and Mac Malware” published by Proofpoint discusses the evolving tactics of TA453, also known as Charming Kitten, APT42, Mint Sandstorm, and Yellow Garuda. The group has been adapting its malware arsenal, deploying novel file types and targeting new operating systems, specifically sending Mac malware to one of its recent targets.
In May 2023, TA453 began deploying LNK infection chains instead of Microsoft Word documents with macros. The group continues to work toward its same end goals of intrusive and unauthorized reconnaissance. Proofpoint worked with key partners across the defensive community to disrupt TA453 efforts.
The article provides a detailed analysis of TA453’s tactics, techniques, and procedures (TTPs), including the use of benign conversation lures, multi-persona impersonation, and the deployment of novel infection chains that deploy the newly identified PowerShell backdoor GorjolEcho. When given the opportunity, TA453 ported its malware and attempted to launch an Apple flavored infection chain dubbed NokNok by Proofpoint.
Indicators of Compromise (IOCs)
The article provides several IOCs related to TA453’s activities:
SHA256 Hashes:
- Dropper (Abraham Accords & MENA.pdf.lnk):
464c5cd7dd4f32a0893b9fff412b52165855a94d193c08b114858430c26a9f1d
- Archive (Abraham Accords & MENA.rar):
ddead6e794b72af26d23065c463838c385a8fdff9fb1b8940cd2c23c3569e43b
- NokNok Backdoor:
1fb7f1bf97b72379494ea140c42d6ddd53f0a78ce22e9192cfba3bae58251da4
- Applications NokNok Module:
e98afa8550f81196e456c0cd4397120469212e190027e33a1131f602892b5f79
- Persistence NokNok Module:
5dc7e84813f0dae2e72508d178aed241f8508796e59e33da63bd6b481f507026
- Processes NokNok Module:
b6916b5980e79a2d20b4c433ad8e5e34fe9683ee61a42b0730effc6f056191eb
- Informations NokNok Module:
acfa8a5306b702d610620a07040262538dd59820d5a42cf01fd9094ce5c3487c
Hosts:
- NokNok C2:
library-store[.]camdvr[.]org
- Spoofed FTP Server website:
filemanager.theworkpc[.]com
- GorjolEcho C2:
fuschia-rhinestone.cleverapps[.]io
IP Address:
- NokNok C2:
144.217.129[.]176
MITRE ATT&CK TTPs
- T1566.001 – Phishing: Spearphishing Attachment
- T1566.002 – Phishing: Spearphishing Link
- T1105 – Ingress Tool Transfer
- T1059.001 – Command and Scripting Interpreter: PowerShell
- T1059.004 – Command and Scripting Interpreter: Unix Shell
- T1021.001 – Remote Services: Remote Desktop Protocol
- T1071.001 – Application Layer Protocol: Web Protocols
Analysis:
TA453 continues to adapt its tactics, techniques, and procedures, demonstrating a willingness to evolve and innovate in response to defensive measures. The group’s use of novel file types and targeting of new operating systems, as well as its deployment of new backdoors, underscores the persistent and evolving threat posed by sophisticated cyber espionage actors. Organizations are advised to remain vigilant and employ robust security measures to protect against these threats.
For further reading, please refer to the original article on the Proofpoint website.