Beware: that dream job offer could be malware sent by Iranian hackers
- Iranian state-sponsored actors target space professionals with fake jobs
- The goal is to install backdoors and exfiltrate important data
- The style mimics that of Lazarus, a well-known North Korean actor
Iranian state-sponsored hackers have been observed targeting victims in the aerospace industry with fake job offers, resulting in the deployment of the SnailResin malware, as part of their cyber espionage campaign.
Cybersecurity researchers at ClearSky revealed how the threat actor known as TA455 created fake recruitment sites and fake profiles on social media sites like LinkedIn. Then they approached their targets and had them download files as part of the onboarding process.
Among the files was SnailResin, a piece of malware that acts as a loader for the SlugResin backdoor and is capable of data exfiltration, command-and-control (C2) communications, and persistence on victim systems.
Iranians? Or North Koreans? Or both?
The campaign, called “Dream Job,” will begin in September 2023, if not sooner, ClearSky noted.
TA455 is a well-known cyber espionage group affiliated with Iran’s Islamic Revolutionary Guards Corps (IRGC), and shares similarities with other groups such as APT35 and TA453. In addition to the aerospace industry, TA455 was also seen as a target for defense and government agencies in the Middle East, Europe and the US. Its purpose is largely cyber espionage, collecting sensitive information for geopolitical intelligence purposes.
What makes this campaign particularly interesting is the fact that it mimics the style of Lazarus, a North Korean state-sponsored group. Fake job attacks are basically synonymous with Lazarus at this point, as they have been used in some of the most destructive campaigns against companies in the crypto industry. At this time, ClearSky does not know if TA455 is impersonating Lazarus, trying to hide behind the group, or working with them.
“The similar ‘Dream Job’ decoys, attack techniques and malware files suggest that Charming Kitten masqueraded as Lazarus to conceal its activities, or that North Korea shared attack methods and tools with Iran,” they said.
In any case, be careful when you get new job offers, especially if they sound too good to be true.
