Iranian hackers have been observed targeting the aerospace industry with fake job offers with the goal of infecting victims with malware, a new report from cybersecurity firm ClearSky shows.
The attacks, attributed to TA455, also known as Smoke Sandstorm and Bohrium and believed to be a subgroup of the Iran-linked APT actor Charming Kitten (APT35), resemble the ‘dream job’ campaigns previously attributed to the North Korean APT Lazarus.
Based on the observed similarities, ClearSky believes that Charming Kitten is either impersonating Lazarus to cover its tracks, or has access to Lazarus’ attack methods and tools. Some of the malware has been detected by some antivirus engines as belonging to Kimsuky/Lazarus instead of Charming Kitten.
The Iranian dream job campaign (PDF) has been active since September 2023, luring potential victims with fake job offerings that lead to SnailResin malware infections.
“Our investigation revealed that the malware is downloaded from a domain that impersonates a job recruiting website (recurring theme for the adversary), through which the recruiter’s LinkedIn profile is revealed. The adversary appears to be using the same profile as in previous attacks,” ClearSky says.
LinkedIn profiles used in these attacks are updated iterations of profiles that Mandiant flagged in February 2024 as being used in a cyberespionage campaign against the aerospace, aviation, and defense industries in the Middle East.
As part of the dream job campaign, TA455 has been abusing legitimate services such as Cloudflare, GitHub and Microsoft Azure to hide its command-and-control (C&C) infrastructure, and has been relying on a multi-stage infection process to minimize detection.
The threat actor has been sending spear-phishing emails with ZIP attachments containing fake job-related documents and legitimate files, designed to bypass security scans. Once the victim opens the malicious documents, however, a system fingerprinting action is triggered.
Furthermore, the use of LinkedIn profiles for recruitment provides a sense of trust to the intended victims, while constantly updated infrastructure and tools, along with the use of custom malware, makes detection difficult.
“The Iranian ‘Dream Job’ campaign has been active since at least September 2023, indicating a persistent effort by TA455. The constant changes in infrastructure and malware demonstrate their adaptability and commitment to staying ahead of security measures,” ClearSky notes.
Related: US, Israel Describe Iranian Hackers’ Targeting of Olympics, Surveillance Cameras
Related: Iranian Hackers Use Brute Force in Critical Infrastructure Attacks