Iranian Dream Job campaign
Nov. 12, 2024, 12:27 p.m.
Tags
External References
Description
An Iranian campaign targeting the aerospace industry has been uncovered, distributing SnailResin malware through a 'dream job' scheme. Attributed to TA455, a subgroup of Charming Kitten, the campaign uses social engineering tactics on LinkedIn, impersonating recruiters to lure victims. The attack employs multi-stage infection chains, DLL side-loading, and leverages legitimate services like Cloudflare and GitHub to evade detection. The campaign has been active since September 2023, constantly evolving its infrastructure and malware. Similarities with North Korean Lazarus Group tactics suggest either impersonation or shared attack methods. The campaign primarily targets aerospace, aviation, and defense industries in the Middle East, especially Israel and UAE.
Date
Published: Nov. 12, 2024, 12:11 p.m.
Created: Nov. 12, 2024, 12:11 p.m.
Modified: Nov. 12, 2024, 12:27 p.m.
Indicators
bf308e5c91bcd04473126de716e3e668cac6cb1ac9c301132d61845a6d4cb362
89.221.225.249
89.221.225.248
89.221.225.247
89.221.225.246
89.221.225.245
89.221.225.243
89.221.225.244
89.221.225.242
89.221.225.241
89.221.225.240
89.221.225.239
89.221.225.238
89.221.225.237
89.221.225.236
89.221.225.234
89.221.225.233
89.221.225.232
89.221.225.231
77.91.74.186
89.221.225.230
77.91.74.171
89.221.225.235
raw.ghubusercontent.com
xboxapicenter.com
careers2find.com
Attack Patterns
SlugResin
SnailResin
TA455
T1102.001
T1574.002
T1566.002
T1036.005
T1566.001
T1592
T1027
T1041
Additional Informations
Aerospace
Defense
British Indian Ocean Territory
Albania
India
United Arab Emirates
Israel