Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.
Latest posts by Esme Greene (see all)
- Famous Hacker’s Irony - August 25, 2023
- Farewell to Kevin Mitnick, the Famous Hacker - August 25, 2023
- Lazarus Strikes South Korean Websites - August 25, 2023
The Islamic Revolutionary Guards Corps (IRGC)-affiliated Iranian hacking group TA453 launched a fresh round of assaults, infecting Windows and macOS.According to yesterday’s analysis by companies Proofpoint, “TA453 used various cloud hosting providers for a new chain of infections that uses the newly discovered GorjolEcho PowerShell backdoor.”
The Research
According to the researchers, TA453 deliberately “transfers arrows” by impersonating other cybercriminal organizations and confuses security experts in the process.
Since 2011, TA453 has been active under the aliases APT35, Charming Kitten, Mint Sandstorm, and Yellow Garuda.
Researchers discovered the deployment of CharmPower (GhostEcho/POWERSTAR), a suite of updated Powershell implants, by hackers towards the end of July. A nuclear security expert at a US foreign policy think tank received phishing emails from attackers in a series of attempts that were detected in May 2023. The emails had a malicious link to Google Script that led the intended recipient to Dropbox, which was hosting the malicious RAR package.
This package was infected with a virus that launched the harmful GorjolEcho software’s multi-step installation process. In this instance, a bogus PDF document was shown while the virus was running in the background and ready to execute further orders from the remote server.
What is Known About the TA453
The TA453 hackers revised their plan and sent the victim a second email with a ZIP package containing NokNok malware disguised as a VPN-application when they learned that their target was using an Apple machine. In turn, NokNok has the capacity to download up to four modules from the C2 server, each of which has the ability to establish persistence in the system via LaunchAgents and gather information on currently active processes, installed apps, and system metadata.
The researchers also discovered that TA453 employs a phony file-sharing website, which is probably designed to remove users’ unique identities and serves as a tool for following successful victims.
The virus known as “TA453” “continues evolving its ransomware armory by introducing new file types and attacking new operating systems,” Proofpoint said, adding that the hacker “keeps up working towards the identical end goals of intrusive and unauthorized intelligence” while making it tougher to detect.