Threats Feed|TA453|Last Updated 05/08/2023|AuthorCertfa Radar|Publish Date06/07/2023

TA453 Campaign Deploys Novel PowerShell Backdoor and Mac-Specific Malware

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Backdoor,Dropper,Malicious Macro,Spear Phishing
  • Attack Complexity: High
  • Threat Risk: High Impact/High Probability

Threat Overview

In mid-May 2023, threat actor TA453 targeted a US-based nuclear security expert affiliated with a foreign affairs think tank using deceptive emails. After initial contact, TA453 deployed a novel PowerShell backdoor, GorjolEcho, via cloud hosting providers. Upon realizing the target used a Mac, they sent another malicious email that delivered Mac-specific malware, NokNok. TA453 operates in support of Iran's Islamic Revolutionary Guard Corps (IRGC), specifically focusing on entities and individuals in the foreign affairs sector, particularly those dealing with Middle Eastern affairs and nuclear security.

Detected Targets

CaseRoyal United Services Institute (RUSI)
The Royal United Services Institute is a defence and security think tank headquartered in London, United Kingdom. It was founded in 1831 by the Duke of Wellington, Sir Arthur Wellesley. Royal United Services Institute (RUSI) has been targeted by TA453 with abusive purposes.
RegionUnited States

Extracted IOCs

  • filemanager.theworkpc[.]com
  • fuschia-rhinestone.cleverapps[.]io
  • library-store.camdvr[.]org
  • 1fb7f1bf97b72379494ea140c42d6ddd53f0a78ce22e9192cfba3bae58251da4
  • 464c5cd7dd4f32a0893b9fff412b52165855a94d193c08b114858430c26a9f1d
  • 5dc7e84813f0dae2e72508d178aed241f8508796e59e33da63bd6b481f507026
  • acfa8a5306b702d610620a07040262538dd59820d5a42cf01fd9094ce5c3487c
  • b6916b5980e79a2d20b4c433ad8e5e34fe9683ee61a42b0730effc6f056191eb
  • ddead6e794b72af26d23065c463838c385a8fdff9fb1b8940cd2c23c3569e43b
  • e98afa8550f81196e456c0cd4397120469212e190027e33a1131f602892b5f79
  • 144[.]217.129.176

Tip: 11 related IOCs (1 IP, 3 domain, 0 URL, 0 email, 7 file hash) to this threat have been found.


Charming KittenDecoding Charming Kitten's POWERSTAR Deployment in Recent Cyber Attack

Source: Volexity - June 2023

Detection (one case): fuschia-rhinestone.cleverapps[.]io

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.