Analysis Summary

Since at least September 2023, the Iranian threat actor TA455 has been seen using North Korean threat groups as a model to plan its version of the Dream Job campaign, which targets the aerospace sector by offering fictitious opportunities. The SnailResin malware, which opens the SlugResin backdoor, was disseminated by the campaign.

APT35, which goes by the names CALANQUE, Charming Kitten, CharmingCypress, ITG18, Mint Sandstorm (previously Phosphorus), Newscaster, TA453, and Yellow Garuda, is thought to contain TA455, which is also tracked by Google-owned Mandiant as UNC1549 and Yellow Dev 13. The group, which is affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC), is said to have tactical overlaps with clusters known as Crimson Sandstorm (formerly Curium) and Smoke Sandstorm (formerly Bohrium).

Several highly targeted attacks targeting the Middle Eastern aerospace, aviation, and defense sectors, including Israel, the United Arab Emirates, Turkey, India, and Albania, were attributed to the threat group earlier this February. To deliver two backdoors known as MINIBIKE and MINIBUS, the attacks utilize social engineering techniques that include lures relating to jobs. Additionally, TA455 uses front firms to professionally interact with targets of interest through a sales request or a Contact Us website.

Nevertheless, the threat actor has previously used decoys with an employment theme in its attack efforts. TA455 engaged in espionage-motivated activities in which the attackers pretended to be recruiters for actual or fake businesses on a number of social media platforms. Researchers found many parallels between TA455 and the two Dream Job campaigns run by the Lazarus Group, including the use of DLL side-loading to spread malware and the use of job opportunity baits.

This has sparked speculation that there may be some kind of tool sharing going on, or that the latter is purposefully mimicking the North Korean threat group's tradecraft to thwart attribution attempts. The attack chains disseminate a ZIP archive that includes an executable ("SignedConnection.exe") and a malicious DLL file ("secur32.dll") that is side-loaded when the EXE file is launched. They do this by using phony recruiting websites ("careers2find[.]com") and LinkedIn accounts.

SlugResin, an updated version of the BassBreaker backdoor, is loaded by secur32.dll, a trojan loader called SnailResin. This gives the threat actors remote access to a compromised machine, enabling them to install more malware, steal credentials, escalate privileges, and move laterally to other networked devices. Another characteristic of the attacks is the use of GitHub as a dead drop resolver, which allows the attacker to conceal their malicious activities and blend in with normal traffic by encapsulating the actual command-and-control server inside a repository.

To maximize their chances of success and reduce discovery, TA455 employs a meticulously planned multi-stage infection procedure. Malicious attachments masquerading as work-related papers are probably included in the original spear-phishing emails. These attachments are then further hidden within ZIP packages that contain a combination of malicious and legitimate content. The goal of this multi-layered strategy is to evade security checks and fool victims into running the malware.

Impact

• Unauthorized Access
• Security Bypass
• Privilege Escalation
• Credential Theft

Indicators of Compromise

Domain Name

• careers2find.com
• xboxapicenter.com

IP

• 185.186.244.130
• 89.221.225.249
• 77.91.74.171

MD5

• f9914c7d6e09d227b2cecea50b87e58b
• bb4c8f42cc624c628e4b98bd43f29fa6
• 3528837b4088a22f0043551431809b3d

SHA-256

• 918e70e3f5fdafad28effd512b2f2d21c86cb3d3f14ec14f7ff9e7f0760fd760
• bf308e5c91bcd04473126de716e3e668cac6cb1ac9c301132d61845a6d4cb362
• 88097e4780bfdc184b16c5a8a90793983676ad43749ffca49c9d70780e32c33a

SHA1

• 2a29ba7302024ec1255811abec2a532136d12fef
• 3a0b3426f4a2f85e0c82b2804aab7f5d5bb63fb7
• 1acd34fb6de5c645e03ded9875046979be7893c4

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Disseminate information regarding the tactics, techniques, and procedures (TTPs) used by the threat group to target dissidents.
• Educate potential targets on the risks associated with engaging in online conversations with unknown individuals, especially on social media platforms.
• Encourage individuals to use secure communication tools and platforms that offer end-to-end encryption to protect sensitive information.
• Conduct phishing awareness training to help them recognize and avoid social engineering attacks, such as deceptive messages and links.
• Advise users to enable MFA on their accounts to add an extra layer of protection against unauthorized access.
• Ensure that all devices and software used are up to date with the latest security patches to mitigate vulnerabilities.
• Train individuals to be cautious when interacting with unknown individuals online and to be vigilant about unusual or suspicious requests.
• Implement network monitoring and intrusion detection systems to detect any unauthorized access attempts or unusual activities.
• Recommend the use of secure messaging and communication platforms that offer end-to-end encryption and protect conversations from interception.