You're listening to the Cyberwire Network, powered by N2K. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPAA, and more, saving you time and money. In Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. Hello, everyone, and welcome to the Cyberwire's Research Saturday. I'm Dave Bitner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. Yeah, so as part of my daily job, I track advanced adversaries that we sought to come from places like Iran or the Middle East, and we have been placed different detections that we use to sort of find these and look in our emails to try to find these. It's very much with some of these benign conversations. It's like hunting for a needle in a haystack. That's Joshua Miller. He's a senior threat researcher with Proofpoint's Threat Research Team. The research we're discussing today is titled Welcome to New York, exploring TA 4534A into LNKs and Mac Malware. So one of our detection rules that I had written triggered and it came up that it was TA 4533, so we investigated it, talked to our customer, and then went to the whole malware chain. Well, let's go through it together here. I mean, what was the thing that set off the trigger? Yeah, so TA 4533 is known for pretending to be individuals who they spoof well-known scholars in the nuclear space, the security space, and they sort of engage in these conversations with academics at think tanks, at universities, policy experts, and so the English is actually pretty good when you look at these actual emails that we have, but they're always sort of asking for collaboration or they want to send an article or a link. And so after you look at these for a while, you sort of understand, hey, this is what they're doing. They're pretending to be this person and then sending over an offer for collaboration. It's interesting to me. It strikes me that there's a certain amount of patience at play here and that the initial contact doesn't include the link, doesn't include the attachment. They ask for permission to take that next step. Absolutely. And that's something we've signed very interesting is that sometimes we'll see them talk to, there's one case where we saw them talk to their target for weeks at a time before sending the actual malicious link or attachment. And other times, there are some cases where they send it in the initial email. So I think it really just depends on who the operator is, what the goal is, and also how much work have they put into setting up the infrastructure or dedicated to the target. So let's continue down this path together. So the target gets this email. What happens next? Yeah. So the target gets the email and then after apply to the actor, they send them a malicious link. So the malicious link was an email with a Google macro. So scripts.google.com allows you to sort of host your own code. And it's a way that factors try to evade detection because it says that, hey, it's going to Google, which is, it's similar to hosting things like Outlook or Dropbox, where it sort of evades detection because you have that known good of Google Cloud. So after the Google macro, it then redirected to Dropbox. And at Dropbox, it had a raw file titled Abraham Accords and M-E-N-A, which is Middle East and North Africa. And that raw file title matched the content of the initial email that we had talked about where they said, hey, can you help me with this project that we're working on? And so the victim gets that and I suppose at this point, things look legit. But what exactly is going on here with that raw file? Yeah. So that's something that we've seen, there's the first time we've seen TA-53, which we also call charming kitten. There's another name that they're known as. And the raw file, when it opens up, it has an L and K file, which is a window shortcut file, and that uses some obfuscated PowerShell that reaches out to a cloud provider and downloads more PowerShell. At this time, it's base 64 encoded that reaches out to that same cloud provider. And then that PowerShell calls more that reaches out to a place called Clever Apps, which is a company that allows you to run JavaScript applications in the cloud. So again, you're seeing this really complicated attack chain across different cloud providers, different cloud services. And part of that is to maintain this attribution. If they're not using a unique malware, they're using all these different cloud services. It's harder to identify them and attribute the campaign. So after Clever Apps, it downloads another function, and then it uses pieces of all of those different things that it's downloaded to start the back door, which we call a "Gorcel Echo," which then displays the PDF and does some reconnaissance. Yeah, you highlight in the research here the degree to which they're bouncing around to all these different cloud providers. What's the time scale that we're talking about here for these hops from one to another? I mean, are they going as fast as they can? Are they deliberately delaying some things? Is there anything of interest there? Yeah, that's a great question. They are, at least for this piece of malware, going almost instantaneously. So it's, "Hey, we download this, and then move on to the next function." There wasn't any necessary delays or sort of ways to evade detection in that way. I see. Yeah. So we get this PDF file. Where do we go from there? Yeah. So to the end user, it looks like, "Hey, I downloaded a RAR file from Dropbox," or just download a file from Dropbox, and it's PDF displayed, so they don't see anything unusual. But in the background, it's downloading and executing the what we call modular backdoor or Golger Echo. Obviously, what that means is once the persistence and the backdoor is installed on a computer, the actor can choose which of the modules that they have, which are PowerShell scripts, get downloaded to the user's computer. So there's ones for things like taking screenshots, exfiltrated information, getting system information, and then also, Velixi, another security vendor, found some for removings, almost cleaning up the intrusion as well. So it's sort of a full featured backdoor with different modules that they can deport. And now, a word from our sponsor, no before. Where would infosec professionals be without users making security mistakes? Working less than 60 hours per week, maybe, actually having a weekend every so often. While user behavior can be a challenge, they can also be an infosec professional's greatest asset once properly equipped. Users want to do the right thing, but often lack the knowledge to do so. That's one of the reasons no before developed Security Coach, a real-time security coaching tool that takes alerts from your existing security stack and sends immediate coaching to users who've taken risky actions. Training security tools will likely block a user from visiting a high-risk website, for example, but the user might not understand why. Security Coach analyzes these alerts and provides users with relevant security tips via email or Slack, coaching them on why the action they just took was risky. Help users learn from their mistakes and strengthen your organization's security culture with Security Coach. And more at nobefore.com/securitycoach, that's nobefore.com/securitycoach, and we thank no before for sponsoring our show. One of the things you highlight in the research is that evidently they discovered that one of their targets was running a macOS system, and which required a little bit of extra effort on their part. Yeah. And so like I mentioned before, the L&K file that's in the raw is a Windows shortcut file, so obviously that's not going to run on a Mac computer. So about a week later, we saw them send another infection chain, this time designed for Macs. What I think is interesting here is not only do they send the attachment, which was masquerading as a VPN application, but they also set up a decoy website for an FTP server saying, hey, all the projects are on the server, but in order to connect to the server and work with our researchers, you have to run the VPN. So if you go to that decoy website, no matter what password to use, whether it's when they provide or whether you try to put your own in, it doesn't work. And the idea would be is that they're trying to social engineer the target into making sure that they actually do run the malware that they sent, not just try to log into the shared drive. Well, let's continue down the path here. I mean, what ultimately is the end game? Yeah. So what we saw is they got the email, they sent out the VPN application, which was like we talked about, a mock, a binary. And that Mac malware reached out to a dynamic DNS committing control that downloaded a second stage, which we call a mock knock. That knock knock, similar to what we've talked about before, that modular backdoor for Windows, it's the same function that knock knock poses. And so knock knock can do two things, and it can either retrieve commands and then kill itself and it's done running, or it can download more modules. So during our analysis, we found four modules. We saw one for downloading processes, information, applications, and then persistence. And so all of these modules are pretty interesting. They're similar and correspond to a lot of modules that we've seen on the Windows side, but obviously they're meant for Mac. And they all have very similar functionality as far as encryption and encoding for exfiltration back to that dynamic DNS website, which again, another cloud provider that TF 453 uses. And then the persistent mechanism basically establishes a copy of previous kill chain in a location that will run again, should it be, should the software timeout. So that's sort of what we saw, our assessment, and we didn't get a chance to see this, but our assessment is that the malware would, so we saw four modules on the Mac side. And for like I said, I talked about seeing nine modules on the Windows side, our assessment is that once those four modules are reporting back constantly to Charming Kid, and that's when we'll start seeing hands-on keyboard and we'll start seeing some of those more modules met for actual training screenshots, maybe grabbing files, those sort of things. We didn't see those yet in our research, but that's sort of our assessment of, hey, where will this go? Well, they're going to start trying to get files, not just conductor cognizance. So it sounds like you're pretty confident in the attribution here for TA 453. What do we need to know about them? So TA 453 is probably one of the most persistent groups that we see. They consistently target the same organizations and individuals over and over. So they target everything from nonprofit organizations, government officials, sometimes travel agencies. And we attribute that they are aligned with Iran and specifically the IOGCIO. So what that means is that they are, everything that they do, all the phishing emails they send the malware that they deploy operates in support of Iran, in Iran's interest, and to gain intelligence for Iran. What we don't know is whether or not they are uniformed military officers, whether they're just contractors, Iran does a little bit of both. They also have people who are due compulsory military service. We at Proofpoint don't have visibility into the actual, hey, this is the person behind the computer. But what we see is that this group, which we cluster together, is pretty persistent. They also, we believe, respond to different priorities from the Iranian regime. So when COVID came out, we saw them starting to target pharma companies and medical research. We've also seen them target with the recent protests in unrest in Iran. We've seen them target human rights scholars, women scholars, those sort of individuals. So sort of understand the who behind the action. And what we see is they typically will try to gather credentials from people and use those credentials to then exfiltrate the email, to then obviously gain the intelligence from that email. There was also the US government indicted some members of Charming Kidon or TF4-53 for conducting Iran somewhere. So just like a lot of groups, there's different teams of TF4-53, and one of them was using different exploits, pretty much all the exploits of the last couple years that were opportunistic, sort of that wide internet scanning that then leading to compromise. So the US government indicted a couple of front companies for that activity. So what are your recommendations then? Based on the information you all have gathered here, how should folks go about best protecting themselves? Yeah. So big thing is just verifying who is sending you that link or that attachment. If it's not coming from their organizational account, meaning their .edu, their .org, the official domain, if it's coming from a Gmail, Yahoo Outlook, verify with them in some other way before opening it. That's the biggest thing we can do. If it's a journalist that you think is reaching out to you, reach out to them via their newsroom to understand, hey, is this a legit email, or is this someone pretending to be that journalist? The other thing to do is making sure that you use strong passwords as always a good one. But also, if your account ever does get compromised, something to look at a lot of personal email accounts has something called application-specific passwords, and that's where you are allowing different applications to access your email for whatever purpose. We've seen Charming Kitten use that as a way to maintain persistence to email accounts. So it's great to change your password after you've been compromised. You also want to make sure there's not any application-specific passwords hanging out, because even if you change your password, those don't change. So that's where the biggest thing is just verify who's sending you this information and just being aware that this threat's out there. We see it from Iran-turning experts. We see it from North Korea as well as China. So, and Russia too honestly. So it's just good to be aware of who's sending you email. Our thanks to Joshua Miller from Proofpoint for joining us. The research is titled Welcome to New York, exploring TA453's foray into LNKs and Mac Malware. We'll have a link in the show notes. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now employees, apps, and networks are everywhere. This means poor visibility, security gaps, and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. The Cyberwire Research Saturday podcast is a production of N2K networks, proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Ivan. Our mixer is Elliot Pelsman. Our executive editor is Peter Kilpey and I'm Dave Bitner. Thanks for listening. This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cybersecurity challenges we face. What's happening at M-Wise, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, M-Wise features one-to-one access with industry experts and fresh insights into the topics that matter most, right now to frontline practitioners. Register early and save at mwise.io/cyberwire. That's M-Wise.io/cyberwire. [MUSIC]
