Executive Summary
Researchers from ClearSky Cyber Security has uncovered a new cyber espionage campaign attributed to TA455, a subgroup of the Iranian cyber threat actor known as Charming Kitten (also known as APT35). The cyber espionage campaign, which has been active since at least September 2023, has targeted critical industry sector entities in the aerospace, aviation, and defense industries, with a particular focus on entities in Israel, the United Arab Emirates, Turkey, India, and possibly Albania.
The attackers use a “Dream Job” lure to target employees in the aerospace and defense sectors, offering fake job opportunities via a recruitment website that impersonates legitimate job platforms. The website, careers2find[.]com, is used to distribute malicious files, including the SnailResin malware, which is downloaded from the site via a ZIP file format. The malware is delivered through spear-phishing emails containing job-related attachments, often disguised as legitimate documents to avoid detection.
TA455 mimics tactics used by other groups, notably the North Korean Lazarus Group, in an attempt to confuse attribution efforts. This includes similar DLL side-loading attacks and overlapping malware files. Their malware bypasses traditional detection systems, as only a few antivirus engines flagged the malicious files contained in the ZIP files, with many mistakenly attributing them to North Korea’s Kimsuky group.
Community Response
The “Dream Job” campaign reflects Iran’s ongoing cyber espionage activities, targeting sensitive information from critical industries, particularly those related to national security and defense. The report demonstrates that the TA455 subgroup employs sophisticated techniques, such as using professional networking platforms and legitimate traffic services to avoid detection, while exploiting trust-based environments to increase the likelihood of successful attacks. While RH-ISAC Core Members were not specifically targeted in this campaign, the prevalence and sophistication of cyber espionage recruitment campaigns (especially fraudulent recruiting operations) remains a current and growing threat to RH-ISAC Core Members. Members are encouraged to review the intelligence in this report and ingest the Indicators of Compromise included below when feasible.
Analysis
Key features of the campaign include:
- Impersonation of recruiters: Fake LinkedIn profiles are used to lure victims into engaging with malicious links and attachments.
- Multi-stage infection: The malware is deployed through a series of stages, starting with disguised ZIP files, and it uses obfuscation and custom code to evade security defenses.
- Use of legitimate services: To mask their infrastructure and control communications, the attackers leverage services like Cloudflare, GitHub, and Microsoft Azure.
- Continuous evolution: The campaign’s infrastructure and malware evolve frequently to stay ahead of detection, with constant changes to domains, IP addresses, and malware variants.
Recent searches by ClearSky Cyber Security on the Careers2Find website revealed a LinkedIn profile that had served as a threat actor’s recruiter in the past; however, the account was only created four months ago. Two other recruiters on LinkedIn were also generated by TA455, highlighting the variety and response that TA455 will utilize to create multiple, fresh, and malicious LinkedIn recruiting accounts.
Indicators of Compromise
The following Indicators of Compromise have been provided by ClearSky Cyber Security and have been designated with normal confidence. Additional indicators, which have not been ranked with normal confidence by ClearSky Cyber Security, can be accessed here, via page 14 and 15.
- 2a29ba7302024ec1255811abec2a532136d12fef
- 3a0b3426f4a2f85e0c82b2804aab7f5d5bb63fb7
- 1acd34fb6de5c645e03ded9875046979be7893c4
- 2e7fc6d63ce16075a3fe3584e03be24a9bc220e1
- aa5fcea406edd406bd6e0a23e83beebe2b3582d1
- c52beb64f7450fce923d15efaa1e5be4c0e43d2b
- careers2find[.]com
- xboxapicenter[.]com
- hxxps[://]raw[.]githubusercontent[.]com/msdnedgesupport
- hxxps[://]github[.]com/msdnedgesupport
- 185[.]186[.]244[.]130
- 89[.]221[.]225[.]249
