The threat of cyberattacks continues to grow as advanced persistent threats (APTs) develop more sophisticated techniques. One such APT, known as APT35 and linked to Iran, has recently emerged with a specially crafted Mac malware called “NokNok.” This malware is specifically designed to carry out targeted cyberattacks on civil society members. In a recent discovery, APT35 launched an attack on a nuclear security expert, utilizing the Mac malware as part of a broader campaign. This article will delve into the details of the NokNok malware, discuss the tactics employed by APT35, and explore the implications of such targeted cyberattacks.
Discovery of Mac Malware
The development of the NokNok Mac malware by APT35 has raised concerns among cybersecurity researchers. The discovery came after the APT35 group sent a conversation lure email to a nuclear security expert, pretending to be a senior fellow with the Royal United Services Institute. By engaging in payload-less email interactions, the attackers built trust with their target before delivering a malicious link.
Attack on Nuclear Security Expert
After successfully communicating with the target, the attackers sent a malicious link redirecting to a Dropbox URL containing the NokNok malware. This carefully orchestrated attack demonstrates the level of sophistication employed by APT35. By targeting nuclear security experts, the APT35 group showcases their determination to gain valuable information from specific individuals.
Broader Campaign by APT35
The attack on the nuclear security expert appears to be part of a larger campaign orchestrated by APT35. This campaign includes an updated cyberattack arsenal, indicating a high level of sophistication and adaptability on the part of this APT group. It is crucial to understand the motivation and objectives behind such attacks in order to effectively counter APT35’s cyber operations.
Similarities to Israeli Journalist Campaign
Noteworthy similarities can be observed between the attack on the nuclear security expert and a recent spear-phishing campaign by APT35 targeting an Israeli journalist. Both attacks involved a password-protected .RAR file and a malicious LNK file. The malware used in the Israeli journalist campaign, known as PowerStar, is believed to have a strong resemblance to the NokNok malware. These connections suggest a consistent operational strategy employed by APT35 in their cyber campaigns.
Support for Non-Windows Environments
APT35’s decision to develop the NokNok malware for Mac platforms demonstrates their adaptability to non-Windows environments. By pivoting to the Apple-specific infection chain, APT35 expands its reach and increases the potential impact of its cyberattacks. This highlights the need for comprehensive cybersecurity measures across all operating systems and platforms.
Change in Infection Chain Tactics
The use of .RAR and .LNK files as part of APT35’s infection chain represents a departure from their typical approach involving VBA macros or remote template injection. This shift in tactics suggests that APT35 is continually evolving to bypass security measures and exploit new vulnerabilities. By leveraging file formats that are less likely to raise suspicion, APT35 can increase the likelihood of successful malware delivery.
Adaptation due to Microsoft Macro Disabling
The disabling of macros downloaded from the internet by Microsoft has forced threat actors like APT35 to adapt their tactics. The usage of LNK files for malware delivery is an example of this adaptation. By employing different methods, APT35 aims to bypass security protocols and remain covert in their operations. Organizations must remain vigilant and update their cybersecurity measures accordingly.
Attribution to APT35
Based on code similarities and campaign tactics, techniques, and procedures, cybersecurity firm Proofpoint attributes the Mac malware campaign to APT35 with “high confidence.” This attribution underscores the significance of APT35 as a persistent and advanced threat actor in the cybersecurity landscape. It also emphasizes the importance of accurate attribution for an effective response to such threats.
The emergence of APT35’s Mac malware, NokNok, serves as a reminder of the evolving cyber threat landscape and the need for continuous vigilance. By specifically targeting individuals within the civil society sector, APT35 highlights the importance of bolstered cybersecurity defenses for critical infrastructure and organizations. Understanding APT35’s tactics, such as their shift to non-Windows environments and diversification of malware delivery methods, enables proactive defense strategies and strengthens resilience against future cyber threats.