GorjolEcho

Malware updated 23 days ago (2024-11-29T14:01:03.122Z)
Download STIX
Preview STIX
GorjolEcho is a sophisticated malware, identified by Proofpoint and attributed with high confidence to the Iranian group TA453, based on code similarities with previously recognized malware such as GhostEcho, CharmPower, and MacDownloader. The malware is delivered via a new infection chain involving various cloud hosting providers, with the aim of deploying GorjolEcho, a PowerShell backdoor that establishes persistence in the victim's system by copying the initial stages of malware in a StartUp entry. Once installed, GorjolEcho displays a decoy PDF to the user while secretly exfiltrating information to the command-and-control (C&C) server. NokNok is seen as an evolution or port of GorjolEcho, designed to serve as an initial foothold for TA453 intrusions. Both GorjolEcho and NokNok are likely to support additional modules that enhance their capabilities. Interestingly, when TA453 encountered a non-Windows environment during an attempted GorjolEcho delivery, it switched to an Apple-specific infection chain using NokNok. This suggests that NokNok is essentially the Mac version of GorjolEcho. The campaign deploying these malwares appears to be highly targeted, with fewer than 10 individuals known to have received phishing emails from TA453 as of the time of reporting. In one instance, upon realizing that GorjolEcho wouldn't execute on macOS, TA453 postponed the attack to later deliver a ported version of the backdoor compatible with Apple hardware. This demonstrates the adaptability and persistence of the threat actors behind these malicious software.
Description last updated: 2024-08-20T12:16:29.727Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Noknok is a possible alias for GorjolEcho. NokNok is a malicious software (malware) developed by the Iranian hacking group APT35, also known as Charming Kitten. It was discovered after the group targeted a US-based nuclear security expert with a sophisticated phishing attack. The attackers initiated several non-threatening email interactions
3
Powerstar is a possible alias for GorjolEcho. Powerstar is a malicious software (malware) utilized by the Iranian state-sponsored threat operation, Charming Kitten, also known as APT35, Mint Sandstorm, Cobalt Illusion, and Yellow Garuda. This malware has been deployed in spear-phishing attacks targeting US political and government entities sinc
2
CharmPower is a possible alias for GorjolEcho. CharmPower is a sophisticated malware, identified as an updated version of the Powerstar backdoor, that has been deployed by the Iranian hacking group known as Charming Kitten. The group used this malware in spear-phishing campaigns to target individuals affiliated with think tanks, universities, an
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Decoy
Proofpoint
Backdoor
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The TA453 Threat Actor is associated with GorjolEcho. TA453, also known as Charming Kitten, APT35, Phosphorus, Newscaster, and Ajax Security Team, is a threat actor group suspected to be linked with the Iranian government. Researchers from Proofpoint have attributed cyberattacks on affiliates of former National Security Adviser John Bolton and nuclear Unspecified
2
Source Document References
Information about the GorjolEcho Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more