Threats Feed|TA453|Last Updated 25/07/2024|AuthorCertfa Radar|Publish Date06/07/2023

TA453 Campaign Deploys Novel PowerShell Backdoor and Mac-Specific Malware

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Backdoor,Dropper,Malicious Macro,Spear Phishing
  • Attack Complexity: High
  • Threat Risk: High Impact/High Probability

Threat Overview

In mid-May 2023, threat actor TA453 targeted a US-based nuclear security expert affiliated with a foreign affairs think tank using deceptive emails. After initial contact, TA453 deployed a novel PowerShell backdoor, GorjolEcho, via cloud hosting providers. Upon realizing the target used a Mac, they sent another malicious email that delivered Mac-specific malware, NokNok. TA453 operates in support of Iran's Islamic Revolutionary Guard Corps (IRGC), specifically focusing on entities and individuals in the foreign affairs sector, particularly those dealing with Middle Eastern affairs and nuclear security.

Reference and Credit: Proofpoint - July 2023

Welcome to New York: Exploring TA453's Foray into LNKs and Mac Malware

Detected Targets

TypeDescriptionConfidence
CaseRoyal United Services Institute (RUSI)
The Royal United Services Institute is a defence and security think tank headquartered in London, United Kingdom. It was founded in 1831 by the Duke of Wellington, Sir Arthur Wellesley. Royal United Services Institute (RUSI) has been targeted by TA453 with abusive purposes.
Verified
SectorMedia
High
SectorPolitical
High
SectorResearchers
High
RegionUnited States
High

Extracted IOCs

  • filemanager.theworkpc[.]com
  • fuschia-rhinestone.cleverapps[.]io
  • library-store.camdvr[.]org
  • 1fb7f1bf97b72379494ea140c42d6ddd53f0a78ce22e9192cfba3bae58251da4
  • 464c5cd7dd4f32a0893b9fff412b52165855a94d193c08b114858430c26a9f1d
  • 5dc7e84813f0dae2e72508d178aed241f8508796e59e33da63bd6b481f507026
  • acfa8a5306b702d610620a07040262538dd59820d5a42cf01fd9094ce5c3487c
  • b6916b5980e79a2d20b4c433ad8e5e34fe9683ee61a42b0730effc6f056191eb
  • ddead6e794b72af26d23065c463838c385a8fdff9fb1b8940cd2c23c3569e43b
  • e98afa8550f81196e456c0cd4397120469212e190027e33a1131f602892b5f79
  • 144[.]217.129.176
download

Tip: 11 related IOCs (1 IP, 3 domain, 0 URL, 0 email, 7 file hash) to this threat have been found.

Overlaps

Charming KittenDecoding Charming Kitten's POWERSTAR Deployment in Recent Cyber Attack

Source: Volexity - June 2023

Detection (one case): fuschia-rhinestone.cleverapps[.]io

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
TA453
View TA453's Insights