Charming Kitten Hackers Uses Weaponized MS Word Doc to Deploy Powershell Backdoor

Charming Kitten, also known as TA453, is an Iranian government-based cyberwarfare group that has conducted several attacks since 2017.

In the middle of May 2023, these threat actors sent a benign email posing as a Senior Fellow of the Royal United Services Institute (RUSI) regarding feedback for a project called “Iran in the Global Security Context.”

The email also consisted of other nuclear security experts which threat actors have contacted as part of credulous to the victims. The email accounts used for this email campaign are found to be created and not compromised.

Charming Kitten – Overview of their TTPs

After the initial email, the threat actors send Google script macros to their targets which redirects the victims to a Dropbox URL that consists of a password-encrypted .rar file (Abraham Accords & MENA.rar) and .LNK file (Abraham Accords & MENA.pdf.lnk).

Dropper and Additional Malware

The .LNK file (Abraham Accords & MENA.pdf.lnk) acts as the dropper which uses the Gorjol function and executes several PowerShell commands to establish a connection to the C2 server. Once the connection is established, it downloads a base64 encoded .txt file (first Borjol function) from the server.

Once this Borjol function is decoded, the function communicates with the C2 located at fuschia-rhinestone.cleverapps[.]io to download another encrypted Borjol function (second Borjol function) that uses the same variables in the first Borjol function.

This second Borjol function decrypts the PowerShell Backdoor (GorjolEcho) that is used by threat actors to gain persistence in the system. This backdoor is initiated with a decoy PDF before the exfiltration of data to the C2. 

Mac Malware

As per the research from Proofpoint, the malware did not run on an Apple computer. However, a week after the initial communication, the threat actors sent another new infection chain that could also attack Mac operating systems.

This time they sent malware disguised as a RUSI VPN Solution, which executes an Apple script file and uses the curl command to download the function with the C2 (library-store[.]camdvr[.]org/DMPR/[alphanumeric string]) resolving to 144.217.129[.]176, an OVH IP.

Instead of a PowerShell backdoor, this time a bash script (NokNok) was used to gain persistence in the system.

To evade detection efforts and carry out cyber espionage operations against its target of interest, TA453 continues to dramatically modify its infection chains.

The employment of Google Scripts, Dropbox, and CleverApps shows that TA453 continues to adhere to a multi-cloud strategy in its efforts to probably limit disruptions from threat hunters.

Source: https://cybersecuritynews.com/charming-kitten-powershell-backdoor/