iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Researchers have uncovered a complex impersonation campaign with the aim of installing a backdoor on the machine of a nuclear security expert.
However, when the initial infection failed because the machine in question was a Mac, the threat actors quickly rewrote its malware for a Mac device.
Proofpoint’s threat research team made the findings and is confident that the group involved is the Iranian-backed Charming Kitten group, variously known as TA453, Mint Sandstorm, and APT42.
The very first step in the new infection chain is a clever email that seems to be from the Royal United Services Research Institute and is sent to the “public media contact” of the expert in question. The email asks if the researcher would like to collaborate on a project called “Iran in the Global Security Context” and mentions other well-known experts in the field that are also apparently working on it.
The email even offers an honorarium for contributing.
The email itself comes from a spoofed address but otherwise looks entirely legitimate.
After the initial interaction, the threat actor shared a Dropbox link, which downloaded a file purporting to be a PDF discussing the Abraham Accords peace agreement. While that file is, in fact, present, it merely masks a complex, multi-cloud infection chain — one that even includes cloud-hosted Java applications.
Proofpoint’s researchers were clearly able to run most of the initial infection chain themselves, but Charming Kitten wasn’t so lucky, as the target machine was a Mac. Undaunted, however, the hackers repurposed their code to run in a Mac environment.
The contact, this time, came from a second persona, one that was mentioned in the initial email as being part of the project. Once again, however, despite the Mac infection chain following a different process, the end aim was the same — install a persistent, modular backdoor on the target machine.
“Despite the identified infection chains differing from past TA453 intrusions where malware was deployed via VBA macro (GhostEcho, also known as CharmPower) or remote template injection (Korg),” the researchers said in a blog post. “Proofpoint attributes this campaign and this malware to TA453 with high confidence.”
The threat actor itself is still believed to be working with the Islamic Revolutionary Guard Corps’ intelligence apparatus and is known to target experts in both nuclear research and the Middle East in general.
“As Joint Comprehensive Plan of Action (JCPOA) negotiations continue and Tehran finds itself increasingly isolated within its sphere of influence,” Proofpoint noted, “TA453 is focusing a large majority of its targeting efforts against the experts likely informing these foreign policies.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
