An Iranian threat actor known as TA455 has been spotted taking a leaf out of a North Korean hacking group’s playbook to set up its own version “Dream Job” company. targeting the aerospace industry, offering fake jobs from at least September 2023.
“The company distributed the SnailResin malware, which activates the SlugResin backdoor,” Israeli cybersecurity firm ClearSky said. said in Tuesday’s analysis.
TA455, also tracked by Mandiant as, owned by Google UNC1549 and Yellow Dev 13, rated as a subcluster within APT35which is known as CALANQUE, Charming Kitten, CharmingCypress, ITG18, Mint Sandstorm (formerly Phosphorus), Newscaster, TA453 and Yellow Garuda.
Affiliated to Iran’s Islamic Revolutionary Guard Corps (IRGC), the group is said to share tactical overlap with groups called Smoky Sandstorm (formerly Borium) and Crimson Sandstorm (formerly Kurium).
Earlier in February, the controversial group was found to be behind a series of targeted campaigns targeting the aerospace, aviation and defense industries in the Middle East, including Israel, the UAE, Turkey, India and Albania.
The attacks involve the use of social engineering tactics that use job-related lures to create two backdoors, dubbed MINIBIKE and MINIBUB. Enterprise security firm Proofpoint said he also noted, “TA455 uses front companies to professionally interact with properties of interest to you through the ContactUs page or sales request.”
However, this isn’t the first time a threat actor has used work-themed decoys in their attacks. In its report, Cyber Threats 2022: A Year in Retrospect, PwC said it discovered espionage-motivated activity by TA455, in which attackers posed as recruiters for real or fictitious companies on various social media platforms.
“Yellow Dev 13 used numerous artificial intelligence (AI)-generated photos for its characters and impersonated at least one real person for its operations,” the company said in a statement. noted.
ClearSky said it found several similarities between the two Dream Job campaigns run by the Lazarus Group and TA455, including the use of recruitment lures and sideloading DLLs to deploy malware.
This has raised the possibility that the latter is either deliberately copying the skills of a North Korean hacking group to confuse attribution attempts, or that there is some sharing of tools.
Attack chains use fake recruitment websites (“careers2find(.)com”) and LinkedIn profiles to distribute a ZIP archive containing, among other files, an executable file (“SignedConnection.exe”) and a malicious DLL file (” secur32. dll”), which is loaded from the side when the EXE file is launched.
According to Microsoft, secur32.dll is a trojan loader named Snail resin which is responsible for loading SlugResinupdated version Bass breaker a backdoor that provides remote access to a compromised machine, effectively allowing threat actors to deploy additional malware, steal credentials, elevate privileges, and move to other devices on the network.
Attacks are also characterized by using GitHub as a dead drop solver by encoding the actual command and control server in the repository, allowing an adversary to hide their malicious operations and blend in with legitimate traffic.
“The TA455 uses a carefully designed multi-step infection process to increase the chance of success while minimizing detection,” ClearSky said.
“Initial phishing emails likely contain malicious attachments disguised as work-related documents, which are further hidden in ZIP files containing a mixture of legitimate and malicious files. This multi-layered approach aims to bypass security checks and trick victims into running malware. “
