Aerospace employees targeted with malicious “dream job” offers
It’s not just North Korean hackers who reach out to targets via LinkedIn: since at least September 2023, Iranian threat actor TA455 has been trying to compromise workers in the aerospace industry by impersonating job recruiters on the popular employment-focused social media platform.
“By leveraging LinkedIn, a platform inherently built on trust and professional connections, TA455 seeks to gain credibility and avoid raising suspicion. Their use of fake recruiter profiles associated with fabricated companies further strengthens the deception and makes it more likely for victims to engage with their malicious links and attachments,” ClearSky Cyber Security researchers noted.
“This exploitation of a trusted platform allows them to bypass traditional security measures that might flag suspicious emails or websites.”
The “Iranian Dream Job” campaign
This latest campaign starts with the attackers getting in touch with target employees via LinkedIn, then directing them to download files from a fake recruiting website.
The SignedConnection.zip file (posing as the SignedConnection application) contains malware and an associated PDF instruction file instructs the target on what to do with it (to ensure infection).
The PDF with instructions (Source: ClearSky)
The ZIP file contains several legitimate files and SignedConnection.exe. When the latter is executed, a malicious file DLL file is side loaded and a connection to a C2 server is established.
The ultimate goal is to distribute and activate the SlugResin backdoor, which allows threat actors to access a compromised device when they want.
Campaign attribution
“Dream Job” campaigns – dubbed so because attackers try trick targets by offering them a (non-existent) “dream job” – are not a new occurrence.
North Korean state-sponsored hacker have been preying on job seekers for several years now, and Iranian threat actors have followed suit.
Due to the used attack infrastructure, this latest campaign has also been attributed to threat actor TA455, which is a subgroup of Charming Kitten (aka Smoke Sandstorm), an Iranian APT group known for focusing on targets governmental and military sectors.
“TA455 intentionally attempts to mislead investigators by mimicking the tactics and tools of other threat actors, specifically the North Korean Lazarus group. This includes utilizing similar ‘Dream Job’ lures, attack techniques, and even malware files that overlap with those used by Lazarus in DLL side-loading attacks. This deliberate misattribution aims to create confusion and hinder accurate attribution efforts,” the researchers noted.
It’s also possible that with the same goal in mind, North Korea has intentionally shared attack methods and tools with Iran, they added.