Noknok

Malware updated 23 days ago (2024-11-29T13:38:37.149Z)
Download STIX
Preview STIX
NokNok is a malicious software (malware) developed by the Iranian hacking group APT35, also known as Charming Kitten. It was discovered after the group targeted a US-based nuclear security expert with a sophisticated phishing attack. The attackers initiated several non-threatening email interactions to build trust with the target before sending a malicious link that redirected them to a Dropbox URL. This link led to a password-protected .RAR file containing a harmful LNK file, which subsequently downloaded NokNok onto the target's system. The malware is designed to infect macOS systems and is believed to be the Mac version of other malware such as PowerStar/GorjolEcho. NokNok contains four modules that can gather various types of data from the infected machine, including credentials, running processes, logs, system information, network information, and software information. After collecting this data, it encrypts it and sends it back to the command and control (C&C) server. Proofpoint, a cybersecurity company, has observed similarities in the code between NokNok and other malware attributed to the same group, such as GorjolEcho, GhostEcho, CharmPower, and MacDownloader. Proofpoint attributes the attack to the Iranian group with high confidence due to these code similarities. They suggest that both GorjolEcho and NokNok likely support additional modules that expand their functionality. The use of NokNok represents a significant evolution in the tactics of APT35, demonstrating their ability to adapt their approach based on the operating system of their targets. The malware is intended to serve as an initial foothold within the victim’s system, allowing for further exploitation and data exfiltration.
Description last updated: 2024-05-05T01:12:00.085Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
GorjolEcho is a possible alias for Noknok. GorjolEcho is a sophisticated malware, identified by Proofpoint and attributed with high confidence to the Iranian group TA453, based on code similarities with previously recognized malware such as GhostEcho, CharmPower, and MacDownloader. The malware is delivered via a new infection chain involving
3
CharmPower is a possible alias for Noknok. CharmPower is a sophisticated malware, identified as an updated version of the Powerstar backdoor, that has been deployed by the Iranian hacking group known as Charming Kitten. The group used this malware in spear-phishing campaigns to target individuals affiliated with think tanks, universities, an
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Espionage
Malware
Proofpoint
Macos
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The TA453 Threat Actor is associated with Noknok. TA453, also known as Charming Kitten, APT35, Phosphorus, Newscaster, and Ajax Security Team, is a threat actor group suspected to be linked with the Iranian government. Researchers from Proofpoint have attributed cyberattacks on affiliates of former National Security Adviser John Bolton and nuclear Unspecified
2
The Charming Kitten Threat Actor is associated with Noknok. Charming Kitten, also known as APT35 or APT42 among other names, is a threat actor believed to be linked to the Iranian government. The group has been implicated in a series of cyber-attacks against various entities in Brazil, Israel, and the U.A.E., deploying a new backdoor that initiates an infectUnspecified
2
Source Document References
Information about the Noknok Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more