Today > | 2 Medium vulnerabilities   -   You can now download lists of IOCs here!

Iranian Dream Job campaign

Nov. 12, 2024, 12:27 p.m.

Description

An Iranian campaign targeting the aerospace industry has been uncovered, distributing SnailResin malware through a 'dream job' scheme. Attributed to TA455, a subgroup of Charming Kitten, the campaign uses social engineering tactics on LinkedIn, impersonating recruiters to lure victims. The attack employs multi-stage infection chains, DLL side-loading, and leverages legitimate services like Cloudflare and GitHub to evade detection. The campaign has been active since September 2023, constantly evolving its infrastructure and malware. Similarities with North Korean Lazarus Group tactics suggest either impersonation or shared attack methods. The campaign primarily targets aerospace, aviation, and defense industries in the Middle East, especially Israel and UAE.

Date

Published: Nov. 12, 2024, 12:11 p.m.

Created: Nov. 12, 2024, 12:11 p.m.

Modified: Nov. 12, 2024, 12:27 p.m.

Indicators

bf308e5c91bcd04473126de716e3e668cac6cb1ac9c301132d61845a6d4cb362

89.221.225.249

89.221.225.248

89.221.225.247

89.221.225.246

89.221.225.245

89.221.225.243

89.221.225.244

89.221.225.242

89.221.225.241

89.221.225.240

89.221.225.239

89.221.225.238

89.221.225.237

89.221.225.236

89.221.225.234

89.221.225.233

89.221.225.232

89.221.225.231

77.91.74.186

89.221.225.230

77.91.74.171

89.221.225.235

raw.ghubusercontent.com

xboxapicenter.com

careers2find.com

Attack Patterns

SlugResin

SnailResin

TA455

T1102.001

T1574.002

T1566.002

T1036.005

T1566.001

T1592

T1027

T1041

Additional Informations

Aerospace

Defense

British Indian Ocean Territory

Albania

India

United Arab Emirates

Israel