We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Charming Kitten Hackers Target Mac Users With New Malware

Charming Kitten Hackers Target Mac Users With New Malware
Author Image Zane Kennedy
Zane Kennedy Published on 12th July 2023 Cybersecurity Researcher

Cybersecurity researchers have uncovered a new Charming Kitten campaign utilizing a newly identified malware named NokNok. The campaign, which commenced in May, demonstrates the group's adaptation to different infection chains and their growing focus on targeting macOS systems.

Charming Kitten (also known as APT42 or Phosphorus), a threat group linked to Iran, has been involved in over 30 operations across 14 countries since 2015, according to Mandiant. The group has gained popularity for its persistent attacks on diplomats, government officials, and foreign policy experts.

According to a report published on July 6 by Proofpoint, Charming Kitten has changed their tactics in their latest campaign by moving away from using harmful Microsoft Word documents with macros. Instead, they are now using LNK files as the infection method. These LNK files act as carriers for the malware payloads, marking a departure from their usual techniques.

The group begins their attacks by pretending to be nuclear experts and focusing on individuals who show a strong interest in Middle Eastern affairs and nuclear security. They employ carefully crafted phishing emails to engage their targets, often assuming multiple personas to make their conversations seem more credible.

Charming Kitten targets Windows-based systems by sending a malicious link leading to a Google Script macro. This redirects victims to a Dropbox URL hosting a password-protected RAR archive containing a dropper with PowerShell code and an LNK file. These components work together to stage the malware from a cloud hosting provider. The final payload, GorjolEcho backdoor, allows remote command execution. To avoid detection, GorjolEcho opens a decoy PDF document relevant to prior conversations, reducing suspicion.

Upon realizing that their initial malware could not run on macOS, Charming Kitten adapted their strategy. They targeted macOS users by sending a link to a fake RUSI (Royal United Services Institute) VPN app hosted on "library-store.camdvr.org." This ZIP archive contains a customized Mac application disguised as a VPN client. Upon execution, the app invokes a bash script called NokNok, establishing a backdoor on the victim's system.

NokNok, featuring four discrete modules, collects system information such as the OS version, running processes, installed applications, and network details. This information is then encrypted, base64 encoded, and exfiltrated to the threat actor's command and control (C2) server.

Charming Kitten's ability to adapt its infection chains using various cloud hosting providers demonstrates its persistence and determination to carry out cyber espionage operations. The group's continuous evolution underscores the importance of a strong defense and collaborative efforts within the cybersecurity community to thwart even the most advanced adversaries.

About the Author

Zane is a Cybersecurity Researcher and Writer at vpnMentor. His extensive experience in the tech and cybersecurity industries provides readers with accurate and trustworthy news stories and articles. He aims to help individuals protect themselves through informative content and awareness of cybersecurity's crucial role in today's digital landscape.