Iranian Hacker Group Targets Aerospace Sector

The Iranian threat group known as TA455 has adopted a sophisticated strategy similar to North Korea's "Dream Job" campaigns, which lure targets with fake job offers to infiltrate their systems. Since at least September 2023, TA455 has been observed using job-related baits to deploy malware targeting the aerospace industry.

According to Israeli cybersecurity company ClearSky, TA455’s campaign leverages a malware known as SnailResin, which then activates a secondary backdoor called SlugResin. This approach enables the attackers to maintain access to infected systems and extract sensitive data.

Who is TA455?

TA455, tracked by Mandiant as UNC1549 and PwC as Yellow Dev 13, is considered a sub-group of Iran’s larger APT35 threat actor, which is affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC). Known under multiple names such as Charming Kitten, Mint Sandstorm, and Newscaster, APT35 has a history of espionage-focused campaigns and typically targets sectors like aerospace, aviation, and defense across the Middle East and other regions.

In early 2023, TA455 was linked to highly targeted attacks on industries in Israel, the UAE, Turkey, India, and Albania, often using social engineering tactics to trick individuals with fake job offers.

How the TA455 Campaign Works

TA455’s attack chain involves several stages, beginning with social engineering tactics to gain initial access. Here’s a breakdown of how these operations unfold:

1. Fake Job Offers: The group uses realistic job postings, often presented through recruiting websites (e.g., careers2find[.]com) and professional LinkedIn profiles, to engage targets. The posts are intended to attract employees in sectors like aerospace and defense.

2. Malware Delivery: Once contact is established, TA455 sends a ZIP archive containing legitimate and malicious files. This package often includes:

   • An executable file (SignedConnection.exe)

   • A malicious DLL file (secur32.dll), designed to be sideloaded upon execution

3. SnailResin and SlugResin Malware: When the executable runs, the malicious DLL sideloads the SnailResin loader, which then installs the SlugResin backdoor. The backdoor provides remote access, allowing attackers to deploy further malware, collect credentials, and move across the target’s network.

4. Command-and-Control (C2) via GitHub: To avoid detection, TA455 encodes its command-and-control server information within a GitHub repository, blending malicious traffic with legitimate activity on the platform.

Mimicking North Korean Tactics

TA455’s campaign exhibits noticeable similarities to tactics used by North Korea’s Lazarus Group in their Dream Job attacks. Both operations use fake job opportunities to deliver malware, suggesting a deliberate choice by TA455 to adopt techniques that make attribution more challenging. Alternatively, it’s possible the groups share tools or methods, either directly or indirectly.

Who is Affected?

TA455’s campaign mainly targets organizations and individuals within the aerospace, defense, and aviation sectors, particularly those in the Middle East. Employees working in high-security or high-sensitivity areas, such as those with access to intellectual property or trade secrets, are particularly vulnerable. With the lure of professional opportunities, TA455’s social engineering approach capitalizes on the ambitions of professionals within these industries.

How to Protect Yourself

To guard against such sophisticated phishing and malware campaigns, especially those targeting professionals in high-stakes industries, organizations and individuals should adopt these best practices:

1. Verify Job Offers: Be cautious of unsolicited job offers, particularly those that involve clicking links, downloading files, or installing software. Always verify the authenticity of any recruiter or job posting by reaching out through official channels.

2. Limit LinkedIn Exposure: While networking on LinkedIn is common, professionals in sensitive sectors should be cautious about who they connect with and should avoid sharing detailed job responsibilities or sensitive project information.

3. Beware of Suspicious Emails and Attachments: Avoid opening unexpected attachments or downloading files from unknown sources, even if they appear professional. Cyber threat actors often disguise malware as legitimate documents.

4. Use Security Software: Implement advanced threat detection systems and endpoint protection software. Behavioral-based detection can help identify unusual activities like DLL sideloading or network connections to suspicious servers.

5. Continuous Employee Education: Organizations should routinely train their employees on the latest phishing and social engineering tactics to build awareness of emerging threats, especially in sectors that are frequent targets for cyber-espionage.

Conclusion

TA455’s new strategy is a clear indication of how Iranian threat actors are adapting their methods to match some of the most sophisticated techniques in the cyber threat landscape. By leveraging fake job offers and social engineering methods, TA455 is positioning itself to compromise sensitive information within the aerospace sector. The campaign’s reliance on malware like SnailResin and SlugResin, combined with its clever use of GitHub to evade detection, highlights the evolving nature of cyber threats in today’s digital ecosystem.

With social engineering at the core of this approach, awareness and caution are paramount. For professionals in high-target industries, vigilance against unsolicited offers and adherence to cybersecurity best practices are crucial steps in minimizing exposure to such sophisticated cyber threats.