Threat intelligence experts at ClearSky Cyber Security have reported the details of an Iranian social engineering campaign using fake LinkedIn identities to trick people into downloading malware with fake job offers. ClearSky has identified a campaign named “Iranian Dream Job,” in which the Iranian threat actor TA455 has targeted the aerospace industry by offering fake jobs.
See: https://redskyalliance.org/xindustry/iran-targeting-aerospace-through-fake-jobs
The campaign distributed the so-called 'SnailResin' malware, which activates a backdoor that enables data theft. ClearSky attributes both malware programs to a previously reported subgroup of TA455, known as Charming Kitten.
See: https://redskyalliance.org/xindustry/charming-kitten-is-a-bad-kitty
After the potential victim has been engaged, the hackers use spear phishing emails containing malicious attachments disguised as application documents, hidden amongst legitimate files in a ZIP archive, and designed to evade security scans. Once engaged, the malware checks the victim’s IP address and retrieves C2 server information from compromised GitHub accounts. Clear Sky says that this method makes it much harder to detect and analyze the full scope of the attack.
ClearSky has also identified a series of techniques leveraged by TA455 to evade detection, such as impersonating other threat actors, like the North Korean Lazarus Group, also known for perpetrating fake job exploits. This campaign uses legitimate services such as Cloudflare, GitHub, and Microsoft Azure to conceal its infrastructure and C2 communications, and it uses high-level techniques and custom code to bypass security tools.
The Charming Kitten campaign is thought to have been active since September 2023, when an Iranian group was detected targeting the aerospace, aviation, and defense industries in Middle East countries, including Israel.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
Comments