Research Saturday 7.22.23
Ep 291 | 7.22.23

Welcome to New York, it's been waitin' for you.


Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner and this is our weekly conversation with researchers and analysts. Tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly-evolving cyberspace. Thanks for joining us

Joshua Miller: Yeah, so as part of my daily job, I track advanced adversaries that we assess to come from places like Iran or the Middle East. And we have in place different detections that we use to sort of find these and look in our e-mail to try to find these. It's very much with some of these benign conversations, it's like hunting for a needle in a haystack.

Dave Bittner: That's Joshua Miller. He's a senior threat researcher with Proofpoint's threat research team. The research we're discussing today is titled, "Welcome to New York: Exploring TA453's Foray into LNKs and Mac Malware."

Joshua Miller: And so one of our detection rules that I had written triggered and came up that it was TA453, so we investigated it, talked to our customer, and then went through the whole malware chain.

Dave Bittner: Well, let's go through it together here. I mean, what was the thing that set off the trigger?

Joshua Miller: Yeah, so TA453 is known for pretending to be individuals who they spoof well-known scholars in the nuclear space, the security space. And they sort of engage in these conversations with academics at think tanks, at universities, public policy experts. And so the English is actually pretty good when you look to these actual e-mails that we have, but they're always sort of asking for collaboration, or they want to send an article, or a link. And so after you look at these for a while, you sort of understand, hey, this is what they're doing. They're pretending to be this person and then sending over an offer for collaboration.

Dave Bittner: It's interesting to me. It strikes me that there's a certain amount of patience at play here in that the initial contact doesn't include the link, doesn't include the attachment. They ask for permission to take that next step.

Joshua Miller: Absolutely, and that's something we find very interesting is that sometimes we'll see them talk to- there's one case where we saw them talk to their target for weeks at a time. Before sending the actual malicious link or attachment. And then other times, there's some cases where they send it in initial e-mail. So I think it really just depends on who the operator is, what the goal is, and also how much work have they put in to setting up the infrastructure or dedicated to the target.

Dave Bittner: Well, let's continue down this path together. So the target gets this e-mail. What happens next?

Joshua Miller: Yeah, so the target gets the e-mail, and then after reply to the actor, they send the malicious link. So the malicious link was an e-mail with a Google macro, so [assumed spelling] allows you to sort of post your own code and it's a way that threat actors try to evade detection. Because it says that, hey, it's going to Google, which is obviously- it's similar to hosting things at like Outlook or Dropbox where it sort of evades detection. Because you have that known good of Google Cloud. So after the Google macro, it then redirected to Dropbox, and at Dropbox, it had a RAR file titled, "Abraham records an MENA," which is Middle East and North Africa. And that RAR file title matched the content of the initial e-mail that we had talked about where they said, "Hey, can you help me with this project that we're working on."

Dave Bittner: And so the victim gets that and I suppose, at this point, thing look legit. But what exactly is going on here with that RAR file?

Joshua Miller: Yeah, so that's something that we've seen- this is the first time that we've seen TA453, which we also call Charming Kitten is another name that they're known as. And the RAR file, when it opens up, it has an LNK file, which is a Windows shortcut file. And that uses some authenticated PowerShell that reaches out to a cloud provider and downloads more PowerShell. This time, it's base 64 encoded that reaches out to that same cloud provider. And then that PowerShell calls more, then reaches out to a place called Clever Apps, which is a company that allows you to run JavaScript applications in the cloud. So again, you're seeing this really complicated attack chain across different cloud providers, different cloud services. And part of that is to maintain misattribution. We- if they're not using unique malware, they're using all these different cloud services, it's harder to identify them and attribute the campaign. So after Clever Apps, it downloads another function, and then it uses pieces of all of those different things in its download to start the backdoor, which we call GorjolEcho. Which then displays the PDF and does some reconnaissance.

Dave Bittner: Yeah, you highlight in the research here the degree to which they're bouncing around to all these different cloud providers. What's the time scale that we're talking about here for these hops from one to another? I mean, are they going as fast as they can? Are they deliberately delaying some things? Is there anything of interest there?

Joshua Miller: Yeah, that's a good question. They are, at least for this piece of malware, going almost instantaneously. So it's, hey, we download this and then move on to the next function. There wasn't any necessary delays or sort of ways to evade detection in that way.

Dave Bittner: I see. Yeah, so we get this PDF file. Where do we go from there?

Joshua Miller: Yeah, so to the end user, it looks like, "Hey, I downloaded a RAR file from Dropbox," or, "I just downloaded a file from Dropbox." And it's a PDF displayed. So they don't see anything unusual. But in the background, it's downloading and executing the what we call modular backdoor or GorjolEcho. So basically what that means is once the persistence and the backdoor's installed on a computer, the actor can choose which of the modules that they have which are PowerShell scripts. Get downloaded to the user's computer. So there's ones for things like taking screenshots, exfiltrating information, getting system information. And then also, they'll actually- another security vendor found some for like removing, so almost cleaning up the intrusion, as well. So it's sort of a full-featured backdoor with different modules that they can deploy.

Dave Bittner: One of the things you highlight in the research is that evidently they discovered that one of their targets was running a macOS system, which required a little bit of extra effort on their part.

Joshua Miller: Yeah, and so like I mentioned before, the LNK file that's in the RAR is a Windows shortcut file, so obviously that's not gonna run on a Mac computer. So about a week later, we saw them send another infection chain this time designed for Macs. What I think is interesting here is not only did they send the attachment which was masquerading as a VPN application, but they also set up a decoy website for an FTP server. Saying, "Hey, all the projects are on this server, but in order to connect to the server and work with our researchers, you have to run the VPN." So if you go to that decoy website, no matter what password you use, whether it's one they provide or whether you try to put your own in, it doesn't work. And the idea would be is if they're trying to social engineer the target into making sure that they actually do run the malware that they sent, not just try to log in to the shared drive.

Dave Bittner: Well, let's continue down the path here. I mean, what ultimately is the end game?

Joshua Miller: Yeah, so what we saw is they got the e-mail, they sent out the VPN application, which was like we talked about, a Mach-O binary. And that Mac malware reached out to a dynamic DNS committing a troll that downloaded a second stage which we call NokNok. That NokNok, similar to what we've talked about before, that modular backdoor for Windows, that's the same function that NokNok poses. And so NokNok can do two things, and it can either retrieve commands, and then kill itself, and it's done running, or it can download more modules. So during our analysis, we found four modules. We saw one for downloading processes, information, applications, and then persistence. And so all these modules are pretty interesting. They're similar and correspond to a lot of modules that we see on the Windows side, but obviously they're meant for Mac. And they all have very similar functionality as far as encryption and encoding for exfiltration back to that dynamic DNS website, which again, another cloud provider that TA453 uses. And then the persistent mechanism basically establishes a copy of the previous kill chain in a location that will run again should it be- should the software timeout. So that's sort of what we saw. Our assessment, and we didn't get a chance to see this, but our assessment is that the malware would- so we saw four modules on the Mac side. And Filexia [assumed spelling] talked about seeing nine modules on the Windows side. Our assessment is that once those four modules are reporting back constantly to Charming Kitten, that's when we'll start seeing hands-on keyboard. And we'll start seeing some of those more modules meant for exfiltrating screenshots, maybe grabbing files, those sort of things. We didn't see those yet in our research, but that's sort of our assessment of, hey, where will this go. Well, they're gonna start trying to get files, not just conduct reconnaissance.

Dave Bittner: So it sounds like you're pretty confident in attribution here for TA453. What do we need to know about them?

Joshua Miller: So TA453 is probably one of the most persistent groups that we see. They consistently target the same organizations and individuals over and over. So they target everything from nonprofit organizations, government officials, sometimes travel agencies, and we attribute that they are aligned with Iran, and specifically, the IRGC-IO. So what that means is that they are- everything that they do, all the phishing e-mails they send and the malware that they deploy operates in support of Iran, and Iran's interest, and to gain intelligence for Iran. What we don't know is whether or not they are uniformed military officers, whether they're just contractors. Iran does a little bit of both. They also have people who are- do compulsory military service. We, at Proofpoint, don't have visibility into the actual, hey, this is the person behind the computer. But what we see is that this group which we cluster together is pretty persistent. They also we believe respond to different parties from the Iranian regime. So when COVID came out, we saw them starting to target pharma companies. When- and medical research. We've also seen them target with the recent protests and unrest in Iran. We've seen them target human rights scholars, women's scholars, those sort of individuals, to sort of understand the who behind the action. And what we see is they typically will try to gather credentials from people and use those credentials to then exfiltrate the e-mail to then obviously gain the intelligence from that e-mail. There was also the US government indicted some members of Charming Kitten or TA453 for conducting a ransomware. So just like a lot of groups, there's different teams of TA453 and one of them was using different exploits. All the- pretty much all the exploits of the last couple of years that were opportunistic, sort of that wide Internet scanning that then lead into compromise. So the US government indicted a couple of front companies for that activity.

Dave Bittner: Hm. So what are your recommendations, then? I mean, based on the information you all have gathered here, how should folks go about best protecting themselves?

Joshua Miller: Yeah, so big thing is just verifying who is sending you that link or that attachment. If it's not coming from their organizational account, meaning their .edu,, the official domain. If it's coming from a Gmail, Yahoo, Outlook, verify with them in some other way before opening it. That's the biggest thing we can do. If it's a journalist that you think's reaching out to you, reach out to them via their newsroom to understand, hey, is this a legit e-mail or is this someone pretending to be that journalist. The other thing to do is making sure that you use strong passwords is always a good one. But also, if your account ever does get compromised, something to look at, a lot of personal e-mail accounts have something called application-specific passwords. And that's where you are allowing different applications to access your e-mail for whatever purpose. We've seen Charming Kitten use that as a way to maintain persistence to e-mail accounts. So it's great to change your password after you've been compromised. You also want to make sure there's not any application-specific passwords hanging out, because even if you change your password, those don't change. So that's really the biggest thing is just verify who's sending you this information and just being aware that this threat's out there. We see it from Iran targeting experts. We see it from North Korea, as well as China. So- and Russia, too, honestly. So it's just good to be aware of who's sending you e-mail.

Dave Bittner: Our thanks to Joshua Miller from Proofpoint for joining us. The research is titled, "Welcome to New York: Exploring TA453's Foray into LNKs and Mac Malware." We'll have a link in the show notes.

Dave Bittner: The CyberWire "Research Saturday" podcast is a production of N2K Networks. Proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Elliott Peltzman. Our executor editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.