GorjolEcho

Malware updated 3 months ago (2024-08-20T12:17:41.171Z)

Download STIX

Preview STIX

GorjolEcho is a sophisticated malware, identified by Proofpoint and attributed with high confidence to the Iranian group TA453, based on code similarities with previously recognized malware such as GhostEcho, CharmPower, and MacDownloader. The malware is delivered via a new infection chain involving various cloud hosting providers, with the aim of deploying GorjolEcho, a PowerShell backdoor that establishes persistence in the victim's system by copying the initial stages of malware in a StartUp entry. Once installed, GorjolEcho displays a decoy PDF to the user while secretly exfiltrating information to the command-and-control (C&C) server. NokNok is seen as an evolution or port of GorjolEcho, designed to serve as an initial foothold for TA453 intrusions. Both GorjolEcho and NokNok are likely to support additional modules that enhance their capabilities. Interestingly, when TA453 encountered a non-Windows environment during an attempted GorjolEcho delivery, it switched to an Apple-specific infection chain using NokNok. This suggests that NokNok is essentially the Mac version of GorjolEcho. The campaign deploying these malwares appears to be highly targeted, with fewer than 10 individuals known to have received phishing emails from TA453 as of the time of reporting. In one instance, upon realizing that GorjolEcho wouldn't execute on macOS, TA453 postponed the attack to later deliver a ported version of the backdoor compatible with Apple hardware. This demonstrates the adaptability and persistence of the threat actors behind these malicious software.

Description last updated: 2024-08-20T12:16:29.727Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Noknok is a possible alias for GorjolEcho. NokNok is a malicious software (malware) developed by the Iranian hacking group APT35, also known as Charming Kitten. It was discovered after the group targeted a US-based nuclear security expert with a sophisticated phishing attack. The attackers initiated several non-threatening email interactions	3
Powerstar is a possible alias for GorjolEcho. Powerstar is a malicious software (malware) utilized by the Iranian state-sponsored threat operation, Charming Kitten, also known as APT35, Mint Sandstorm, Cobalt Illusion, and Yellow Garuda. This malware has been deployed in spear-phishing attacks targeting US political and government entities sinc	2
CharmPower is a possible alias for GorjolEcho. CharmPower is a sophisticated malware, identified as an updated version of the Powerstar backdoor, that has been deployed by the Iranian hacking group known as Charming Kitten. The group used this malware in spear-phishing campaigns to target individuals affiliated with think tanks, universities, an	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Decoy

Proofpoint

Backdoor

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The TA453 Threat Actor is associated with GorjolEcho. TA453, also known as Charming Kitten, APT35, Phosphorus, Newscaster, and Ajax Security Team, is a threat actor group suspected to be linked with the Iranian government. Researchers from Proofpoint have attributed cyberattacks on affiliates of former National Security Adviser John Bolton and nuclear	Unspecified	2

Source Document References

Information about the GorjolEcho Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Recorded Future	3 months ago	GreenCharlie Infrastructure Targeting US Political Entities with Advanced Phishing and Malware
CERT-EU	a year ago	Iranian Cyberspies Target US-Based Think Tank With New macOS Malware
DARKReading	a year ago	APT35 Develops Mac Bespoke Malware
CERT-EU	a year ago	Iranian hackers targeted nuclear expert, ported Windows infection chain to Mac in a week - TechCentral.ie
CERT-EU	a year ago	Iranian hacking group impersonating nuclear experts to gain intel from Western think tanks
Securityaffairs	a year ago	Iran-linked APT TA453 targets Windows and macOS systems
CERT-EU	a year ago	Iranian Hackers' Sophisticated Malware Targets Windows and macOS Users