• Wed. Oct 18th, 2023

Iranian Group TA453 Increases its Sphere of Influence Online

Avatar photo

ByEsme Greene

Jul 27, 2023
Iranian Group TA453 Expands Online Influence
Esme Greene
Latest posts by Esme Greene (see all)

The Islamic Revolutionary Guards Corps (IRGC)-affiliated Iranian hacking group TA453 launched a fresh round of assaults, infecting Windows and macOS.According to yesterday’s analysis by companies Proofpoint, “TA453 used various cloud hosting providers for a new chain of infections that uses the newly discovered GorjolEcho PowerShell backdoor.”

The Research

According to the researchers, TA453 deliberately “transfers arrows” by impersonating other cybercriminal organizations and confuses security experts in the process.

Since 2011, TA453 has been active under the aliases APT35, Charming Kitten, Mint Sandstorm, and Yellow Garuda. 

Researchers discovered the deployment of CharmPower (GhostEcho/POWERSTAR), a suite of updated Powershell implants, by hackers towards the end of July. A nuclear security expert at a US foreign policy think tank received phishing emails from attackers in a series of attempts that were detected in May 2023. The emails had a malicious link to Google Script that led the intended recipient to Dropbox, which was hosting the malicious RAR package.

This package was infected with a virus that launched the harmful GorjolEcho software’s multi-step installation process. In this instance, a bogus PDF document was shown while the virus was running in the background and ready to execute further orders from the remote server.

What is Known About the TA453

The TA453 hackers revised their plan and sent the victim a second email with a ZIP package containing NokNok malware disguised as a VPN-application when they learned that their target was using an Apple machine. In turn, NokNok has the capacity to download up to four modules from the C2 server, each of which has the ability to establish persistence in the system via LaunchAgents and gather information on currently active processes, installed apps, and system metadata.

The researchers also discovered that TA453 employs a phony file-sharing website, which is probably designed to remove users’ unique identities and serves as a tool for following successful victims.

The virus known as “TA453” “continues evolving its ransomware armory by introducing new file types and attacking new operating systems,” Proofpoint said, adding that the hacker “keeps up working towards the identical end goals of intrusive and unauthorized intelligence” while making it tougher to detect.

Avatar photo

Esme Greene

Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.