Noknok

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
NokNok is a malicious software (malware) developed by the Iranian hacking group APT35, also known as Charming Kitten. It was discovered after the group targeted a US-based nuclear security expert with a sophisticated phishing attack. The attackers initiated several non-threatening email interactions to build trust with the target before sending a malicious link that redirected them to a Dropbox URL. This link led to a password-protected .RAR file containing a harmful LNK file, which subsequently downloaded NokNok onto the target's system. The malware is designed to infect macOS systems and is believed to be the Mac version of other malware such as PowerStar/GorjolEcho. NokNok contains four modules that can gather various types of data from the infected machine, including credentials, running processes, logs, system information, network information, and software information. After collecting this data, it encrypts it and sends it back to the command and control (C&C) server. Proofpoint, a cybersecurity company, has observed similarities in the code between NokNok and other malware attributed to the same group, such as GorjolEcho, GhostEcho, CharmPower, and MacDownloader. Proofpoint attributes the attack to the Iranian group with high confidence due to these code similarities. They suggest that both GorjolEcho and NokNok likely support additional modules that expand their functionality. The use of NokNok represents a significant evolution in the tactics of APT35, demonstrating their ability to adapt their approach based on the operating system of their targets. The malware is intended to serve as an initial foothold within the victim’s system, allowing for further exploitation and data exfiltration.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
GorjolEcho
3
GorjolEcho is a malicious software, or malware, linked to the Iranian group TA453 and identified by Proofpoint researchers. This sophisticated backdoor malware is designed to infiltrate computer systems, establish persistence, and exfiltrate information to command-and-control servers. The stealthy n
CharmPower
2
CharmPower, also known as POWERSTAR or GhostEcho, is a PowerShell-based modular backdoor malware attributed to the Iranian hacking group Charming Kitten. This malicious software is designed to infiltrate computer systems, establish persistence, gather information, and execute commands. It was recent
Macdownloader
1
MacDownloader is a malicious software (malware) believed to have been created by Iranian hackers, specifically targeting the US defense industry. The malware was first observed in an active stage linked from a website impersonating the aerospace firm "United Technologies Corporation," a site thought
PowerLess
1
Powerless is a malware that was deployed by Ballistic Bobcat in September 2021, as they were concluding the campaign documented in CISA Alert AA21-321A and the PowerLess campaign. The malware was introduced through a new backdoor, exploiting gaps left by traditional security measures which are often
Basicstar
1
Basicstar is a malicious software designed to exploit and damage computer systems, often infiltrating without the user's knowledge through suspicious downloads, emails, or websites. It is capable of stealing personal information, disrupting operations, or holding data hostage for ransom. There are d
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Espionage
Macos
Proofpoint
Payload
State Sponso...
Windows
Iran
Encrypt
Phishing
Exploit
Vpn
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Charming KittenUnspecified
2
Charming Kitten, an Iranian Advanced Persistent Threat (APT) group, also known as ITG18, Phosphorous, and TA453, is a significant cybersecurity threat. This threat actor has been associated with numerous malicious activities, exhibiting advanced and sophisticated social-engineering efforts. The grou
TA453Unspecified
2
TA453, also known as Charming Kitten, APT35, Phosphorus, and Ballistic Bobcat, is a threat actor attributed to the Iranian government. This group has been involved in numerous cyber espionage campaigns against various entities worldwide, with notable incidents involving an attack on a close affiliat
APT35Unspecified
1
APT35, also known as the Newscaster Team, Charming Kitten, and Mint Sandstorm, is an Iranian government-sponsored cyber espionage group. The group focuses on long-term, resource-intensive operations to collect strategic intelligence. They primarily target sectors in the U.S., Western Europe, and the
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Powerstar/gorjolechoUnspecified
1
None
Ghostecho CharmpowerUnspecified
1
None
Source Document References
Information about the Noknok Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
5 months ago
Iran-Backed Charming Kitten Stages Fake Webinar Platform to Ensnare Targets
CERT-EU
5 months ago
Novel backdoor used in Charming Kitten attacks
CERT-EU
6 months ago
Microsoft: Iranian hackers target researchers with new MediaPl malware
CERT-EU
a year ago
Iranian Cyberspies Target US-Based Think Tank With New macOS Malware
DARKReading
a year ago
APT35 Develops Mac Bespoke Malware
CERT-EU
a year ago
Iranian hackers targeted nuclear expert, ported Windows infection chain to Mac in a week - TechCentral.ie
CERT-EU
a year ago
Iranian Hackers' Sophisticated Malware Targets Windows and macOS Users
Securityaffairs
a year ago
Iran-linked APT TA453 targets Windows and macOS systems