Iranian Dream Job campaign
Essential information
- Published
- 12/11/2024 12:11
- Modified
- 12/11/2024 12:27
- Tags
- 2024-11-12 aerospace apt35 charming kitten dll side-loading dream job evasion iran linkedin slugresin snailresin
- Related entities
- 26 observables, 1 intrusion sets (apt), 8 techniques (mitre), 2 malware, 7 others
Description
An Iranian campaign targeting the aerospace industry has been uncovered, distributing SnailResin malware through a 'dream job' scheme. Attributed to TA455, a subgroup of Charming Kitten, the campaign uses social engineering tactics on LinkedIn, impersonating recruiters to lure victims. The attack employs multi-stage infection chains, DLL side-loading, and leverages legitimate services like Cloudflare and GitHub to evade detection. The campaign has been active since September 2023, constantly evolving its infrastructure and malware. Similarities with North Korean Lazarus Group tactics suggest either impersonation or shared attack methods. The campaign primarily targets aerospace, aviation, and defense industries in the Middle East, especially Israel and UAE.