Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Social Engineering

Iranian Threat Actors Mimic North Korean Job Scam Techniques

Tehran Baits Aerospace Sector Into Downloading Malware With Fake Job Offers
Iranian Threat Actors Mimic North Korean Job Scam Techniques
Image: Shutterstock

Iranian state hackers are taking a page out of North Korean tactics to entice job seekers into downloading malware, with security researchers spotting a Tehran campaign directed against the aerospace industry.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

A threat actor tracked as TA455, APT35 and Charming Kitten since September 2023 has been using fake job offers to lure individuals into installing malware known as SnailResin, reports cybersecurity firm ClearSky. The campaign relies on fake recruiters on LinkedIn and malicious domains such as careers2find.colm.

The threat actor consistently modifies fake recruiter profiles to appear credible. The LinkedIn profiles are tailored to look professional and legitimate, often linked to phony companies.

So closely are Iranian hackers mirroring North Korean techniques - including through the use of several malicious files to deploy malware through DLL side loading attacks - that ClearSky said it's possible that Pyongyang shared its attack methods and tools.

North Korean hackers have become notorious for social engineering methods that include activity tracked as "Operation Dream Job" by multiple threat intelligence companies, in which hackers masquerade as recruiters in a bid to entice victims into opening a payload disguised as a job description or skills assessment (see: North Korean Hackers Find Value in LinkedIn).

Iranian hackers target aerospace professionals with malicious links or attachments disguised as job offers.

The SnailResin malware used in this Iranian campaign was initially flagged as belonging to North Korean groups like Kimsuky and Lazarus, contributing to confusion around its true origins. TA455 uses Cloudflare to disguise its command-and-control domains, which makes tracking the campaign's infrastructure difficult. By encoding command and control data on GitHub, hackers are able to infiltrate networks under the guise of legitimate web traffic.

The malware is embedded in ZIP files labeled as job-related documents, with a low antivirus detection rate. TA455's reliance on trust-based platforms like LinkedIn helps the group bypass traditional security measures that might detect suspicious emails or websites.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.