Life Buzz News

Iranian Threat Actors Mimic North Korean Job Scam Techniques


Iranian Threat Actors Mimic North Korean Job Scam Techniques

Tehran Baits Aerospace Sector into Downloading Malware With Fake Job Offers

Iranian state hackers are taking a page out of North Korean tactics to entice job seekers into downloading malware, with security researchers spotting a Tehran campaign directed against the aerospace industry.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

A threat actor tracked as TA455, APT35 and Charming Kitten since September 2023 has been using fake job offers to lure individuals into installing malware known as SnailResin, reports cybersecurity firm ClearSky. The campaign relies on fake recruiters on LinkedIn and malicious domains such as .

The threat actor consistently modifies fake recruiter profiles to appear credible. The LinkedIn profiles are tailored to look professional and legitimate, often linked to phony companies.

So closely are Iranian hackers mirroring North Korean techniques - including through the use of several malicious files to deploy malware through DLL side loading attacks - that ClearSky said it's possible that Pyongyang shared its attack methods and tools.

North Korean hackers have become notorious for social engineering methods that include activity tracked as "Operation Dream Job" by multiple threat intelligence companies, in which hackers masquerade as recruiters in a bid to entice victims into opening a payload disguised as a job description or skills assessment (see: North Korean Hackers Find Value in LinkedIn).

Iranian hackers target aerospace professionals with malicious links or attachments disguised as job offers.

The SnailResin malware used in this Iranian campaign was initially flagged as belonging to North Korean groups like Kimsuky and Lazarus, contributing to confusion around its true origins. TA455 uses Cloudflare to disguise its command-and-control domains, which makes tracking the campaign's infrastructure difficult. By encoding command and control data on GitHub hackers are able to infiltrate networks under the guise of legitimate web traffic.

The malware is embedded in ZIP files labeled as job-related documents, with a low antivirus detection rate. TA455's reliance on trust-based platforms like LinkedIn helps the group bypass traditional security measures that might detect suspicious emails or websites.

Previous articleNext article

POPULAR CATEGORY

corporate

9151

tech

10292

entertainment

11139

research

5106

misc

11925

wellness

8746

athletics

11763