Cybersecurity experts warn that hackers linked to the Iranian government are deploying malware in the guise of job offers, aiming to infiltrate the aerospace sector. A recent report by ClearSky Cyber Security reveals how this Iranian state-sponsored group, known as TA455, is targeting employees in aerospace, defence, and government sectors, especially in the United States, Middle East, and Europe. This cyber-espionage operation, called “Dream Job,” employs tactics that closely resemble those used by North Korean hacker groups, leaving researchers to speculate on possible collaboration or mimicry.
Hackers use fake job sites and profiles
ClearSky researchers have exposed the methods used by TA455 to deceive unsuspecting victims. The hackers set up fake recruitment websites and created fraudulent social media profiles, particularly on LinkedIn. These fake profiles are designed to lure targeted employees by offering enticing job opportunities.
Once the victim expresses interest, the hackers send job-related documents as part of the “onboarding process.” However, these documents carry a malicious file called SnailResin, a malware designed to breach the victim’s systems. SnailResin is a loader for a secondary malware called SlugResin, which allows hackers to exfiltrate data, maintain remote system control, and ensure ongoing access even after detection attempts.
Iranian hackers may be mimicking North Korea’s Lazarus Group
ClearSky has found the tactics used in “Dream Job” strikingly similar to those previously attributed to Lazarus, a notorious North Korean hacking group. Lazarus is infamous for targeting individuals with fake job offers, especially in the cryptocurrency and tech sectors. The resemblance has led researchers to speculate whether TA455 is copying Lazarus’s techniques to obscure its identity or whether the two groups might collaborate.
TA455, also known as Charming Kitten, shares traits with other Iranian cyber-espionage groups, such as APT35 and TA453. Linked to Iran’s Islamic Revolutionary Guard Corps (IRGC), TA455 has a history of cyber-espionage in aerospace, defence, and government agencies. The group’s main objectives are to collect geopolitical intelligence and steal confidential information to be leveraged for strategic advantage.
ClearSky’s analysis suggests that TA455 deliberately impersonates Lazarus’s style or that North Korean and Iranian groups share malware and tactics. Researchers have not reached a definitive conclusion but believe TA455 might use resemblance as a disguise.
Protect yourself from fake job offers
This “Dream Job” campaign serves as a timely reminder of the risks associated with unsolicited job offers, especially those from unfamiliar sources. The “too good to be true” approach often indicates potential deception, as attackers increasingly use enticing offers to trick targets into unknowingly compromising their data security.
Experts recommend verifying the legitimacy of job offers and being cautious about downloading files, especially from unknown senders. If you’re considering a job offer from an unfamiliar recruiter, take steps to authenticate the source and confirm their identity. Cybersecurity vigilance is key to protecting sensitive information from prying hackers.
