GorjolEcho

Malware updated 18 days ago (2024-08-20T12:17:41.171Z)

Download STIX

Preview STIX

GorjolEcho is a sophisticated malware, identified by Proofpoint and attributed with high confidence to the Iranian group TA453, based on code similarities with previously recognized malware such as GhostEcho, CharmPower, and MacDownloader. The malware is delivered via a new infection chain involving various cloud hosting providers, with the aim of deploying GorjolEcho, a PowerShell backdoor that establishes persistence in the victim's system by copying the initial stages of malware in a StartUp entry. Once installed, GorjolEcho displays a decoy PDF to the user while secretly exfiltrating information to the command-and-control (C&C) server. NokNok is seen as an evolution or port of GorjolEcho, designed to serve as an initial foothold for TA453 intrusions. Both GorjolEcho and NokNok are likely to support additional modules that enhance their capabilities. Interestingly, when TA453 encountered a non-Windows environment during an attempted GorjolEcho delivery, it switched to an Apple-specific infection chain using NokNok. This suggests that NokNok is essentially the Mac version of GorjolEcho. The campaign deploying these malwares appears to be highly targeted, with fewer than 10 individuals known to have received phishing emails from TA453 as of the time of reporting. In one instance, upon realizing that GorjolEcho wouldn't execute on macOS, TA453 postponed the attack to later deliver a ported version of the backdoor compatible with Apple hardware. This demonstrates the adaptability and persistence of the threat actors behind these malicious software.

Description last updated: 2024-08-20T12:16:29.727Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Noknok	3	NokNok is a malicious software (malware) developed by the Iranian hacking group APT35, also known as Charming Kitten. It was discovered after the group targeted a US-based nuclear security expert with a sophisticated phishing attack. The attackers initiated several non-threatening email interactions
Powerstar	2	Powerstar is a malicious software (malware) utilized by the Iranian state-sponsored threat operation, Charming Kitten, also known as APT35, Mint Sandstorm, Cobalt Illusion, and Yellow Garuda. This malware has been deployed in spear-phishing attacks targeting US political and government entities sinc
CharmPower	2	CharmPower, also known as POWERSTAR or GhostEcho, is a malicious software developed by the Iranian hacking group known as Charming Kitten. This PowerShell-based modular backdoor malware has recently been updated and distributed through spear-phishing campaigns, as discovered by Volexity. The malware

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Decoy

Proofpoint

Backdoor

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
TA453	Unspecified	2	TA453, also known as Charming Kitten, APT35, APT42, Ballistic Bobcat, Phosphorus, and Ajax Security Team, is a threat actor linked to the Iranian government. This group has been implicated in numerous cyber espionage activities targeting various entities globally. In one notable incident, researcher

Source Document References

Information about the GorjolEcho Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Recorded Future	18 days ago	GreenCharlie Infrastructure Targeting US Political Entities with Advanced Phishing and Malware
CERT-EU	a year ago	Iranian Cyberspies Target US-Based Think Tank With New macOS Malware
DARKReading	a year ago	APT35 Develops Mac Bespoke Malware
CERT-EU	a year ago	Iranian hackers targeted nuclear expert, ported Windows infection chain to Mac in a week - TechCentral.ie
CERT-EU	a year ago	Iranian hacking group impersonating nuclear experts to gain intel from Western think tanks
Securityaffairs	a year ago	Iran-linked APT TA453 targets Windows and macOS systems
CERT-EU	a year ago	Iranian Hackers' Sophisticated Malware Targets Windows and macOS Users