Noknok

Malware updated 6 months ago (2024-05-05T01:18:06.611Z)

Download STIX

Preview STIX

NokNok is a malicious software (malware) developed by the Iranian hacking group APT35, also known as Charming Kitten. It was discovered after the group targeted a US-based nuclear security expert with a sophisticated phishing attack. The attackers initiated several non-threatening email interactions to build trust with the target before sending a malicious link that redirected them to a Dropbox URL. This link led to a password-protected .RAR file containing a harmful LNK file, which subsequently downloaded NokNok onto the target's system. The malware is designed to infect macOS systems and is believed to be the Mac version of other malware such as PowerStar/GorjolEcho. NokNok contains four modules that can gather various types of data from the infected machine, including credentials, running processes, logs, system information, network information, and software information. After collecting this data, it encrypts it and sends it back to the command and control (C&C) server. Proofpoint, a cybersecurity company, has observed similarities in the code between NokNok and other malware attributed to the same group, such as GorjolEcho, GhostEcho, CharmPower, and MacDownloader. Proofpoint attributes the attack to the Iranian group with high confidence due to these code similarities. They suggest that both GorjolEcho and NokNok likely support additional modules that expand their functionality. The use of NokNok represents a significant evolution in the tactics of APT35, demonstrating their ability to adapt their approach based on the operating system of their targets. The malware is intended to serve as an initial foothold within the victim’s system, allowing for further exploitation and data exfiltration.

Description last updated: 2024-05-05T01:12:00.085Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
GorjolEcho is a possible alias for Noknok. GorjolEcho is a sophisticated malware, identified by Proofpoint and attributed with high confidence to the Iranian group TA453, based on code similarities with previously recognized malware such as GhostEcho, CharmPower, and MacDownloader. The malware is delivered via a new infection chain involving	3
CharmPower is a possible alias for Noknok. CharmPower is a sophisticated malware, identified as an updated version of the Powerstar backdoor, that has been deployed by the Iranian hacking group known as Charming Kitten. The group used this malware in spear-phishing campaigns to target individuals affiliated with think tanks, universities, an	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Espionage

Malware

Proofpoint

Macos

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The TA453 Threat Actor is associated with Noknok. TA453, also known as Charming Kitten, APT35, Phosphorus, Newscaster, and Ajax Security Team, is a threat actor group suspected to be linked with the Iranian government. Researchers from Proofpoint have attributed cyberattacks on affiliates of former National Security Adviser John Bolton and nuclear	Unspecified	2
The Charming Kitten Threat Actor is associated with Noknok. Charming Kitten, also known as APT42, Storm-2035, Damselfly, Mint Sandstorm, TA453, and Yellow Garuda, is a threat actor linked to Iran that has been involved in various cyberattacks targeting entities in Brazil, Israel, and the U.A.E. using a new backdoor. This group has been implicated in sophisti	Unspecified	2

Source Document References

Information about the Noknok Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	8 months ago	Iran-Backed Charming Kitten Stages Fake Webinar Platform to Ensnare Targets
CERT-EU	8 months ago	Novel backdoor used in Charming Kitten attacks
CERT-EU	9 months ago	Microsoft: Iranian hackers target researchers with new MediaPl malware
CERT-EU	a year ago	Iranian Cyberspies Target US-Based Think Tank With New macOS Malware
DARKReading	a year ago	APT35 Develops Mac Bespoke Malware
CERT-EU	a year ago	Iranian hackers targeted nuclear expert, ported Windows infection chain to Mac in a week - TechCentral.ie
CERT-EU	a year ago	Iranian Hackers' Sophisticated Malware Targets Windows and macOS Users
Securityaffairs	a year ago	Iran-linked APT TA453 targets Windows and macOS systems