TA453 Campaign Deploys Novel PowerShell Backdoor and Mac-Specific Malware
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Backdoor,Dropper,Malicious Macro,Spear Phishing
- Attack Complexity: High
- Threat Risk: High Impact/High Probability
Threat Overview
In mid-May 2023, threat actor TA453 targeted a US-based nuclear security expert affiliated with a foreign affairs think tank using deceptive emails. After initial contact, TA453 deployed a novel PowerShell backdoor, GorjolEcho, via cloud hosting providers. Upon realizing the target used a Mac, they sent another malicious email that delivered Mac-specific malware, NokNok. TA453 operates in support of Iran's Islamic Revolutionary Guard Corps (IRGC), specifically focusing on entities and individuals in the foreign affairs sector, particularly those dealing with Middle Eastern affairs and nuclear security.
Detected Targets
Type | Description | Confidence |
---|---|---|
Case | Royal United Services Institute (RUSI) The Royal United Services Institute is a defence and security think tank headquartered in London, United Kingdom. It was founded in 1831 by the Duke of Wellington, Sir Arthur Wellesley. Royal United Services Institute (RUSI) has been targeted by TA453 with abusive purposes. | Verified |
Sector | Media | High |
Sector | Political | High |
Sector | Researchers | High |
Region | United States | High |
Extracted IOCs
- filemanager.theworkpc[.]com
- fuschia-rhinestone.cleverapps[.]io
- library-store.camdvr[.]org
- 1fb7f1bf97b72379494ea140c42d6ddd53f0a78ce22e9192cfba3bae58251da4
- 464c5cd7dd4f32a0893b9fff412b52165855a94d193c08b114858430c26a9f1d
- 5dc7e84813f0dae2e72508d178aed241f8508796e59e33da63bd6b481f507026
- acfa8a5306b702d610620a07040262538dd59820d5a42cf01fd9094ce5c3487c
- b6916b5980e79a2d20b4c433ad8e5e34fe9683ee61a42b0730effc6f056191eb
- ddead6e794b72af26d23065c463838c385a8fdff9fb1b8940cd2c23c3569e43b
- e98afa8550f81196e456c0cd4397120469212e190027e33a1131f602892b5f79
- 144[.]217.129.176
Tip: 11 related IOCs (1 IP, 3 domain, 0 URL, 0 email, 7 file hash) to this threat have been found.
Overlaps
Source: Volexity - June 2023
Detection (one case): fuschia-rhinestone.cleverapps[.]io
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.