NokNok Malware for macOS

Security researchers have unveiled a new malicious campaign, allegedly conducted by the Charming Kitten APT group. The campaign, which kicked off in May, features a unique piece of malware dubbed “NokNok,” specifically designed to infiltrate macOS systems.

The group, also identified as APT42 or Phosphorus, has a notorious history dating back to 2015. They have carried out a minimum of 30 operations across 14 different countries, as per the data from Mandiant. According to Google, the threat actors are reportedly have links to the Iranian state, particularly the Islamic Revolutionary Guard Corps (IRGC). Interestingly, the U.S. government succeeded in identifying and indicting members of this group in September 2022.

A Shift from the Conventional Malware Delivery Method – NokNok Malware

According to Proofpoint, the group seems to have drifted from the familiar macro-based attack techniques involving malware-riddled Word documents. The new modus operandi involves using LNK files to unload their payloads.

The threat actors cleverly impersonate U.S. nuclear experts in their phishing attempts, inviting targets to critique drafts on foreign policy matters. Sometimes, the attackers involve other fictitious characters in the dialogue to give an impression of authenticity and build trust with the potential victims.

The group’s reputation for impersonating personas in phishing attacks and creating convincing conversation threads using ‘sock puppets’ is well-known.

Attacking Windows Systems

Once they gain the trust of their target, the Charming Kitten group sends a harmful link embedded with a Google Script macro. This link redirects the unsuspecting victim to a Dropbox URL, hosting a password-protected RAR archive with a malware dropper. This dropper uses PowerShell code and an LNK file to prepare the malware from a cloud hosting provider.

The final payload is GorjolEcho, a basic backdoor program that accepts and executes commands from its remote operators. To evade any suspicion, GorjolEcho will open a PDF. The content of which is aligns with the previous conversation between the attacker and the victim.

Attacking macOS Systems

If the target utilizes macOS (typically discovered after an unsuccessful Windows payload infection attempt), the attackers send a fresh link to “library-store[.]camdvr[.]org,” housing a ZIP file pretending to be a RUSI (Royal United Services Institute) VPN app.

Upon execution of the Apple script file in the archive, a curl command fetches the NokNok payload. It sets up a backdoor in the victim’s system.

The NokNok Malware

The NokNok malware produces a system identifier and employs four bash script modules to ensure persistence, establish a connection with the command & control (C2) server, and start data exfiltration to it.

This malware collects system data, including the OS version, running processes, and installed apps. The data is encrypted, encoded in base64 format, and exfiltrated. Proofpoint suggests that NokNok could have additional espionage-related capabilities through unseen modules.

Similarities in the code to GhostEcho, analyzed previously by Check Point, add to this suspicion. GhostEcho had modules that allowed taking screenshots, command execution, and cleaning the infection trail. It’s probable that NokNok shares these features.

The Bigger Picture of NokNok Malware

This campaign reveals Charming Kitten’s notable adaptability and capability to target macOS systems when necessary. It underscores the rising threat of advanced malware campaigns to macOS users. The evolution in their attack methodology demonstrates the persistent and growing cybersecurity challenges in the digital age.