CONFERENCE Cyber AI & Automation Summit - NOW LIVE
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Nation-State

Iranian Hackers Target Aerospace Industry in ‘Dream Job’ Campaign

Iran-linked Charming Kitten hackers have been running a ‘dream job’ campaign targeting the aerospace industry with the SnailResin malware.

Iran cyberattacks

Iranian hackers have been observed targeting the aerospace industry with fake job offers with the goal of infecting victims with malware, a new report from cybersecurity firm ClearSky shows.

The attacks, attributed to TA455, also known as Smoke Sandstorm and Bohrium and believed to be a subgroup of the Iran-linked APT actor Charming Kitten (APT35), resemble the ‘dream job’ campaigns previously attributed to the North Korean APT Lazarus.

Based on the observed similarities, ClearSky believes that Charming Kitten is either impersonating Lazarus to cover its tracks, or has access to Lazarus’ attack methods and tools. Some of the malware has been detected by some antivirus engines as belonging to Kimsuky/Lazarus instead of Charming Kitten.

The Iranian dream job campaign (PDF) has been active since September 2023, luring potential victims with fake job offerings that lead to SnailResin malware infections.

“Our investigation revealed that the malware is downloaded from a domain that impersonates a job recruiting website (recurring theme for the adversary), through which the recruiter’s LinkedIn profile is revealed. The adversary appears to be using the same profile as in previous attacks,” ClearSky says.

LinkedIn profiles used in these attacks are updated iterations of profiles that Mandiant flagged in February 2024 as being used in a cyberespionage campaign against the aerospace, aviation, and defense industries in the Middle East.

As part of the dream job campaign, TA455 has been abusing legitimate services such as Cloudflare, GitHub and Microsoft Azure to hide its command-and-control (C&C) infrastructure, and has been relying on a multi-stage infection process to minimize detection.

The threat actor has been sending spear-phishing emails with ZIP attachments containing fake job-related documents and legitimate files, designed to bypass security scans. Once the victim opens the malicious documents, however, a system fingerprinting action is triggered.

Advertisement. Scroll to continue reading.

Furthermore, the use of LinkedIn profiles for recruitment provides a sense of trust to the intended victims, while constantly updated infrastructure and tools, along with the use of custom malware, makes detection difficult.

“The Iranian ‘Dream Job’ campaign has been active since at least September 2023, indicating a persistent effort by TA455. The constant changes in infrastructure and malware demonstrate their adaptability and commitment to staying ahead of security measures,” ClearSky notes.

Related: US, Israel Describe Iranian Hackers’ Targeting of Olympics, Surveillance Cameras

Related: Iranian Hackers Use Brute Force in Critical Infrastructure Attacks

Related: Iran Paper Accuses US of Stealing Its .Com

Related: North Korean Hackers Target macOS Users

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Video platform Vimeo has appointed Ryan Weeks as Chief Information Security Officer.

LPL Financial has welcomed Renana Friedlich as Chief Information Security Officer.

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.