Noknok

Malware updated 4 months ago (2024-05-05T01:18:06.611Z)

Download STIX

Preview STIX

NokNok is a malicious software (malware) developed by the Iranian hacking group APT35, also known as Charming Kitten. It was discovered after the group targeted a US-based nuclear security expert with a sophisticated phishing attack. The attackers initiated several non-threatening email interactions to build trust with the target before sending a malicious link that redirected them to a Dropbox URL. This link led to a password-protected .RAR file containing a harmful LNK file, which subsequently downloaded NokNok onto the target's system. The malware is designed to infect macOS systems and is believed to be the Mac version of other malware such as PowerStar/GorjolEcho. NokNok contains four modules that can gather various types of data from the infected machine, including credentials, running processes, logs, system information, network information, and software information. After collecting this data, it encrypts it and sends it back to the command and control (C&C) server. Proofpoint, a cybersecurity company, has observed similarities in the code between NokNok and other malware attributed to the same group, such as GorjolEcho, GhostEcho, CharmPower, and MacDownloader. Proofpoint attributes the attack to the Iranian group with high confidence due to these code similarities. They suggest that both GorjolEcho and NokNok likely support additional modules that expand their functionality. The use of NokNok represents a significant evolution in the tactics of APT35, demonstrating their ability to adapt their approach based on the operating system of their targets. The malware is intended to serve as an initial foothold within the victim’s system, allowing for further exploitation and data exfiltration.

Description last updated: 2024-05-05T01:12:00.085Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
GorjolEcho	3	GorjolEcho is a sophisticated malware, identified by Proofpoint and attributed with high confidence to the Iranian group TA453, based on code similarities with previously recognized malware such as GhostEcho, CharmPower, and MacDownloader. The malware is delivered via a new infection chain involving
CharmPower	2	CharmPower, also known as POWERSTAR or GhostEcho, is a malicious software developed by the Iranian hacking group known as Charming Kitten. This PowerShell-based modular backdoor malware has recently been updated and distributed through spear-phishing campaigns, as discovered by Volexity. The malware

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Espionage

Malware

Proofpoint

Macos

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
TA453	Unspecified	2	TA453, also known as Charming Kitten, APT35, APT42, Ballistic Bobcat, Phosphorus, and Ajax Security Team, is a threat actor linked to the Iranian government. This group has been implicated in numerous cyber espionage activities targeting various entities globally. In one notable incident, researcher
Charming Kitten	Unspecified	2	Charming Kitten, also known as APT42, Storm-2035, Damselfly, Mint Sandstorm, TA453, and Yellow Garuda, is an Iranian threat actor group that has been linked to various cyber attacks. It has targeted entities in Brazil, Israel, and the United Arab Emirates using a new backdoor, as revealed by securit

Source Document References

Information about the Noknok Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	7 months ago	Iran-Backed Charming Kitten Stages Fake Webinar Platform to Ensnare Targets
CERT-EU	7 months ago	Novel backdoor used in Charming Kitten attacks
CERT-EU	8 months ago	Microsoft: Iranian hackers target researchers with new MediaPl malware
CERT-EU	a year ago	Iranian Cyberspies Target US-Based Think Tank With New macOS Malware
DARKReading	a year ago	APT35 Develops Mac Bespoke Malware
CERT-EU	a year ago	Iranian hackers targeted nuclear expert, ported Windows infection chain to Mac in a week - TechCentral.ie
CERT-EU	a year ago	Iranian Hackers' Sophisticated Malware Targets Windows and macOS Users
Securityaffairs	a year ago	Iran-linked APT TA453 targets Windows and macOS systems