Summary: A sophisticated phishing campaign attributed to the Iranian-linked threat actor TA455 has been identified, utilizing impersonation of job recruiters to lure victims into downloading malicious files. The campaign employs advanced techniques, including DLL side-loading and obfuscation methods, to evade detection and execute malware.
Threat Actor: TA455 | TA455
Victim: Aerospace professionals | aerospace professionals
Key Point :
- Malicious file: “SignedConnection.zip,” flagged by multiple antivirus engines.
- Primary targets include aerospace professionals, consistent with TA455’s historical focus.
- Utilizes recently created domains like “careers2find[.]com” for distribution.
- Obscures operations by encoding command-and-control communications on GitHub.
- Mimics tactics of North Korea’s Lazarus Group to complicate attribution efforts.
- Employs multiple IP addresses and Cloudflare to mask their digital footprint.
A complex phishing campaign attributed to the Iranian-linked threat actor TA455, has been observed using sophisticated techniques to impersonate job recruiters on LinkedIn and other platforms.
ClearSky Cyber Security released the report today, which outlines TA455’s methods, targets and infrastructure.
The campaign, active since at least September 2023, begins with a spear phishing approach in which TA455 lures individuals with fake job offers. Using LinkedIn to gain trust, the attackers prompt victims to download a ZIP file titled “SignedConnection.zip,” which was flagged as malicious by five antivirus engines.
This ZIP file contains an EXE file designed to load malware into the victim’s system through DLL side-loading, where a malicious DLL file called “secur32[.]dll” is loaded instead of a legitimate one, allowing the attacker to run undetected code within a trusted process.
Technical Analysis of the Malware and Infection Process
To increase the likelihood of infection, the attackers also provide a detailed PDF guide within the phishing materials. This guide instructs the victim on how to “safely” download and open the ZIP file, warning against actions that might prevent the attack from succeeding.
Once the ZIP file is accessed and the highlighted EXE file inside is executed, the malware initiates an infection chain. This process leads to the deployment of SnailResin malware, which then activates a secondary backdoor called SlugResin. ClearSky attributes both SnailResin and SlugResin to a subgroup ofCharming Kitten, another Iranian threat actor.
Key details of the campaign include:
-
Malicious file: “SignedConnection.zip,” detected as malicious
-
Primary targets: Aerospace professionals, a frequent focus of TA455’s past campaigns
-
Domains: Recently created and concealed domains like “careers2find[.]com” are used for distribution
The group further obscures its operations by encoding command-and-control (C2) communications on GitHub, a tactic that makes it difficult for traditional detection tools to recognize the threat. This GitHub-hosted C2 channel enables TA455 to retrieve data from compromised systems by blending malicious traffic with legitimate GitHub user activity.
Read more on spear phishing attacks: Hackers Exploit EU Agenda in Spear Phishing Campaigns
Attribution Challenges and Obfuscation Techniques
To complicate attribution, TA455 mimics tactics, names and file signatures associated with North Korea’sLazarus Group. This intentional misattribution misleads investigators, resulting in frequent misidentification of TA455’s malware asNorth Korean Kimsuky malware.
Additional infrastructure analysis reveals that TA455 uses multiple IP addresses, with some links masked by Cloudflare, adding layers to obscure their digital trail. These IP addresses connect to Iranian hosting providers rarely linked to Iranian groups, which suggests a deliberate effort to evade tracking and detection.
Source: https://www.infosecurity-magazine.com/news/ta455s-iranian-dream-job-campaign