Iranian group TA453 expands its zone of influence in cyberspace

Iranian hacker group known as TA453 and associated with the Islamic Revolutionary Guards Corps (IRGC), staged a new series of attacks, infecting operating systems Windows And macOS.

“TA453 used various cloud hosting providers for a new chain of infections that uses the newly discovered GorjolEcho PowerShell backdoor,” reads yesterday’s report companies Proofpoint.

The researchers note that TA453 actively “transfers arrows”, posing as other cybercriminal groups and thereby confusing security professionals.

TA453, also known as APT35, Charming Kitten, Mint Sandstorm and Yellow Garuda, has been active since 2011. At the end of July, researchers It revealed the use by hackers of a grouping of an updated version of the Powershell implant called CharmPower (GhostEcho / POWERSTAR).

In a series of attacks discovered in May 2023, attackers sent phishing emails to a nuclear security specialist at a US foreign policy think tank. The emails contained a malicious link to Google Script, which redirected the target to Dropbox, where the malicious RAR archive was hosted.

This archive contained a virus that triggered a multi-step installation procedure for the malicious GorjolEcho software. At the same time, a fake PDF document was displayed in the foreground, while a virus deployed in the background was already waiting for additional commands from a remote server.

GorjolEcho infection scheme

When the TA453 hackers realized that their target was using an Apple computer, they changed their strategy and sent the victim a second email with a ZIP archive containing NokNok malware disguised as VPN-application. NokNok, in turn, has the ability to download up to four modules from the C2 server that can collect data about running processes, installed applications and system metadata, as well as establish persistence in the system using LaunchAgents.

The researchers also noted that TA453 uses a fake file sharing site in its arsenal, which is likely used to strip unique identifiers from visitors and acts as a mechanism to track successful victims.

“TA453 continues to adapt its malware arsenal by introducing new file types and targeting new operating systems,” Proofpoint said, adding that the attacker “continues to work toward the same end goals of intrusive and unauthorized intelligence” while making it harder to detection.