Login
Iranian βDream Jobβ Campaign 11.24
ClearSky Cyber Security research identified a campaign named βIranian Dream Job campaignβ, in which the Iranian threat actor TA455 targeted the aerospace industry by offering fake jobs.Β
The campaign distributed the SnailResin malware, which activates the SlugResin backdoor. ClearSky attributes both malware programs to a subgroup of Charming Kitten.Β
However, some cyber research companies detected the malware files as belonging to the North Korean Kimsuky/Lazarus APT group.Β
The similar βDream Jobβ lure, attack techniques, and malware files suggest that either Charming Kitten was impersonating Lazarus to hide its activities, or that North Korea shared attack methods and tools with Iran.Β
The Iranian βDream Jobβ campaign has been active since at least September 2023. Mandiant had previously reported on suspected Iranian espionage activity targeting aerospace, aviation, and defense industries in Middle East countries, including Israel and the United Arab Emirates (UAE), as well as Turkey, India, and Albania.Β
The LinkedIn profiles of the fake recruiters in our report seem to be newer versions of the profiles Mandiant previously reported. For example, ClearSky discovered a profile associated with a fake company called βCareers 2 Find,β which previously worked for β1st Employer,β a fake recruiting website highlighted by Mandiant.Β
How the Campaign Works
TA455 uses fake recruiting websites and LinkedIn profiles to distribute a ZIP file containing malicious files. The ZIP file, which includes legitimate files, is downloaded from a domain impersonating a job recruiting website. Victims are given a detailed PDF guide on how to βsafelyβ access the website in order to prevent them from making βmistakesβ that might βprevent infectionβ. Once the ZIP file is downloaded, the victim clicks on a highlighted EXE file. The EXE loads the malicious DLL file βsecur32[.]dllβ via DLL side loading. The malware checks the victimβs IP address and downloads information from a GitHub account that contains the C&C server domain address.
For the full version of our report:
