Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
,
Social Engineering
Tehran Lures Aerospace Sector with Malicious Job Offers
In a disturbing development, Iranian state-sponsored hackers are reportedly adopting tactics used by their North Korean counterparts to infiltrate the aerospace industry via malicious job offers. Security researchers have identified a campaign out of Tehran designed specifically to target professionals within this sector, as noted by cybersecurity firm ClearSky.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
Known threat actor groups including TA455, APT35, and Charming Kitten have been linked to the distribution of malware dubbed SnailResin through deceptive job postings. This campaign employs fake recruiters on LinkedIn and sets up malicious domains, such as careers2find.colm, to entice potential victims.
The sophistication of these fake recruiter profiles is noteworthy. Created to appear credible and professional, many include connections to fictitious companies, heightening the likelihood that targets will engage with them.
ClearSky’s findings suggest a close mirroring of North Korean cyber tactics, which may imply that there has been an exchange of methods and tools between these state actors. North Korean hackers are infamous for employing social engineering schemes, notably “Operation Dream Job,” where they pose as recruiters to lure victims into executing harmful payloads disguised as job descriptions or assessments (see: North Korean Hackers Find Value in LinkedIn).
The Iranian campaign predominantly targets aerospace professionals, sending links or attachments that appear to be legitimate job offers. The malware SnailResin has drawn attention due to its initial identification with North Korean threat groups like Kimsuky and Lazarus, resulting in some confusion regarding its actual origin. TA455 utilizes Cloudflare services to mask command-and-control domains, complicating efforts to trace the infrastructure behind these operations. Furthermore, by encoding command and control data on platforms like GitHub, these hackers can create the illusion of legitimate web traffic to aid their infiltration efforts.
The malware itself is typically embedded in ZIP files labeled as job-related documents, benefiting from a low detection rate by antivirus software. The reliance on trust-based platforms such as LinkedIn allows TA455 to sidestep conventional security measures that could flag suspicious emails or domains.
