Iran-based hackers targeting nuclear security experts through Mac, Windows malware

Hackers supporting the government of Iran are targeting experts in Middle Eastern affairs and nuclear security in a new campaign that researchers said involved malware for both Apple and Microsoft products.

Cybersecurity experts from Proofpoint attributed the campaign to a group they call TA453 but also is known as Charming Kitten, Mint Sandstorm or APT42, which has previously been tied to the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO).

They found hackers pretending to be a senior fellow with the U.K. think tank the Royal United Services Institute (RUSI) while attempting to spread malware to a nuclear security expert at a U.S.-based think tank focused on foreign affairs.

The hackers continue to adapt the tools used during their attacks, deploying “novel file types and targeting new operating systems, specifically sending Mac malware to one of its recent targets,” Proofpoint said.

“TA453’s capability and willingness to devote resources into new tooling to compromise its targets exemplifies the persistence of state-aligned cyber threats,” said Joshua Miller, a senior threat researcher for the company.

“The threat actor’s continued efforts to iterate their infection chains to bypass security controls demonstrate how important a strong community informed defense is to frustrate even the most advanced adversaries.”

In a report published Thursday, Miller and other Proofpoint researchers explained that the group uses Google Scripts, Dropbox and CleverApps to disrupt the efforts of threat hunters.

The goal of the campaign is reconnaissance, with the hackers deploying several backdoors in victims systems to gather intelligence.

The hackers were forced to shift their tactics in May after Microsoft made changes last year to a popular feature in its Office suite of apps. Past campaigns analyzed by Proofpoint saw the hackers use Microsoft’s Visual Basic for Applications (VBA) macro to deploy malware but the tech giant announced that it is now blocking the feature by default in a variety of Office apps to limit its use among hackers.

Proofpoint attributed the campaign to Iranian actors based on “both direct code similarities and similarities in overall campaign tactics, techniques, and procedures.” Two of the backdoors found in the campaign date back to ones seen in 2021.

‘Iran in the Global Security Context’

The campaign began in May with an email to an expert from a hacker purporting to be a senior fellow with RUSI.

The email said the researchers were working on a project called “Iran in the Global Security Context” and were looking for feedback from experts. To bolster its legitimacy, the hackers said the project was being worked on by other well-known nuclear security experts. The attackers had previously sent emails masquerading as those people, too. The hackers even offered to pay the expert for their take on the document.

“TA453 eventually used a variety of cloud hosting providers to deliver a novel infection chain that deploys the newly identified PowerShell backdoor GorjolEcho,” the researchers said.

At one point the hackers realized that a malicious file would not run on the victim’s Apple computer, so they sent another email with malware that would work on Mac operating systems.

Proofpoint said the likely goal is monitoring experts who are likely playing some role in the foreign policy positions taken by governments involved in the Joint Comprehensive Plan of Action (JCPOA) negotiations, known colloquially as the Iran nuclear agreement.

Proofpoint noted that its investigation into the campaign was assisted by Dropbox and HSBC Cyber Intelligence and Threat Analysis. Dropbox removed the accounts that were associated with the campaign after being notified by Proofpoint.

In April, Charming Kitten was accused of deploying a new strain of malware named BellaCiao against several victims in the U.S., Europe, India, Turkey and other countries.

Microsoft reported earlier this year that the same Iranian hacking group spent much of 2021 and 2022 directly targeting “US critical infrastructure including seaports, energy companies, transit systems, and a major US utility and gas entity.”

“The increased aggression of Iranian threat actors appeared to correlate with other moves by the Iranian regime under a new national security apparatus, suggesting such groups are less bounded in their operations,” Microsoft explained.