charming kitten powershell backdoor

Charming Kitten, also known as TA453, is an Iranian government-based cyberwarfare group that has conducted several attacks since 2017.

In the middle of May 2023, these threat actors sent a benign email posing as a Senior Fellow of the Royal United Services Institute (RUSI) regarding feedback for a project called “Iran in the Global Security Context.”

The email also consisted of other nuclear security experts which threat actors have contacted as part of credulous to the victims. The email accounts used for this email campaign are found to be created and not compromised.

Charming Kitten – Overview of their TTPs

After the initial email, the threat actors send Google script macros to their targets which redirects the victims to a Dropbox URL that consists of a password-encrypted .rar file (Abraham Accords & MENA.rar) and .LNK file (Abraham Accords & MENA.pdf.lnk).

Full-infection chain Source[Proofpoint]

Dropper and Additional Malware

The .LNK file (Abraham Accords & MENA.pdf.lnk) acts as the dropper which uses the Gorjol function and executes several PowerShell commands to establish a connection to the C2 server. Once the connection is established, it downloads a base64 encoded .txt file (first Borjol function) from the server.

Once this Borjol function is decoded, the function communicates with the C2 located at fuschia-rhinestone.cleverapps[.]io to download another encrypted Borjol function (second Borjol function) that uses the same variables in the first Borjol function.

This second Borjol function decrypts the PowerShell Backdoor (GorjolEcho) that is used by threat actors to gain persistence in the system. This backdoor is initiated with a decoy PDF before the exfiltration of data to the C2. 

Mac Malware

As per the research from Proofpoint, the malware did not run on an Apple computer. However, a week after the initial communication, the threat actors sent another new infection chain that could also attack Mac operating systems.

This time they sent malware disguised as a RUSI VPN Solution, which executes an Apple script file and uses the curl command to download the function with the C2 (library-store[.]camdvr[.]org/DMPR/[alphanumeric string]) resolving to 144.217.129[.]176, an OVH IP.

Instead of a PowerShell backdoor, this time a bash script (NokNok) was used to gain persistence in the system.

Mac system infection chain

To evade detection efforts and carry out cyber espionage operations against its target of interest, TA453 continues to dramatically modify its infection chains.

The employment of Google Scripts, Dropbox, and CleverApps shows that TA453 continues to adhere to a multi-cloud strategy in its efforts to probably limit disruptions from threat hunters.

Indicators of Compromise

Indicator 
464c5cd7dd4f32a0893b9fff412b52165855a94d193c08b114858430c26a9f1d 
ddead6e794b72af26d23065c463838c385a8fdffofb1b8940cd2c23c3569e43b
1fb7f1bf97b72379494ea140c42d6ddd53f0a78ce22e9192cfba3bae58251dad
e98afa8550f81196e456c0cd4397120469212e190027e33a1131f602892b5f79
5dc7e84813f0dae2e72508d178aed241f8508796e59e33da63bd6b481f507026
b6916b5980e79a2d20b4c433ad8e5e34fe9683ee61a42b0730effc6f056191eb
acfa8a5306b702d610620a07040262538dd59820d5a42cf01fd9094ce5cc3487c
library-store[.]Jcamdvrl[.Jorg 
144.217.129[.]176 
filemanager.theworkpc[.Jcom 
fuschia-rhinestone.cleverappsl.]io 

“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.