Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Iranian threat actor targeting nuclear security experts with novel Mac malware

Researchers have uncovered a complex impersonation campaign with the aim of installing a backdoor on the machine of a nuclear security expert.

user icon David Hollingworth
Fri, 07 Jul 2023
Iranian threat actor targeting nuclear security experts with novel Mac malware
expand image

However, when the initial infection failed because the machine in question was a Mac, the threat actors quickly rewrote its malware for a Mac device.

Proofpoint’s threat research team made the findings and is confident that the group involved is the Iranian-backed Charming Kitten group, variously known as TA453, Mint Sandstorm, and APT42.

The very first step in the new infection chain is a clever email that seems to be from the Royal United Services Research Institute and is sent to the “public media contact” of the expert in question. The email asks if the researcher would like to collaborate on a project called “Iran in the Global Security Context” and mentions other well-known experts in the field that are also apparently working on it.

============
============

The email even offers an honorarium for contributing.

The email itself comes from a spoofed address but otherwise looks entirely legitimate.

After the initial interaction, the threat actor shared a Dropbox link, which downloaded a file purporting to be a PDF discussing the Abraham Accords peace agreement. While that file is, in fact, present, it merely masks a complex, multi-cloud infection chain — one that even includes cloud-hosted Java applications.

Proofpoint’s researchers were clearly able to run most of the initial infection chain themselves, but Charming Kitten wasn’t so lucky, as the target machine was a Mac. Undaunted, however, the hackers repurposed their code to run in a Mac environment.

The contact, this time, came from a second persona, one that was mentioned in the initial email as being part of the project. Once again, however, despite the Mac infection chain following a different process, the end aim was the same — install a persistent, modular backdoor on the target machine.

“Despite the identified infection chains differing from past TA453 intrusions where malware was deployed via VBA macro (GhostEcho, also known as CharmPower) or remote template injection (Korg),” the researchers said in a blog post. “Proofpoint attributes this campaign and this malware to TA453 with high confidence.”

The threat actor itself is still believed to be working with the Islamic Revolutionary Guard Corps’ intelligence apparatus and is known to target experts in both nuclear research and the Middle East in general.

“As Joint Comprehensive Plan of Action (JCPOA) negotiations continue and Tehran finds itself increasingly isolated within its sphere of influence,” Proofpoint noted, “TA453 is focusing a large majority of its targeting efforts against the experts likely informing these foreign policies.”

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.