Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
Fake jobs and cyber espionage are once again threatening the aerospace industry.
The Iranian hacking group TA455 has been using tactics similar to those of the North Korean Lazarus Group to attack the aerospace industry, offering fake jobs since September 2023. According to the Israeli company ClearSky, the attackers are spreading the SnailResin malware, which activates the SlugResin backdoor.
TA455, also known as UNC1549 and Yellow Dev 13, is a subdivision of APT35, known by various names – Charming Kitten, CharmingCypress, ITG18, and others. The group is believed to be affiliated with the Islamic Revolutionary Guard Corps (IRGC).
Since the beginning of 2023, the TA455 has targeted the aerospace and defense industries in Middle Eastern countries such as Israel, the UAE, and Turkey. The attacks are based on social engineering using fake job offers to inject MINIBIKE and MINIBUS backdoors. Proofpoint reports that attackers often use fake companies to contact victims.
As it turns out, TA455 has used similar tricks in the past, posing as recruiters on social media, including fake AI-generated photos and mimicking existing people. This was described in detail in the report by PwC.
ClearSky notes that TA455 uses similar techniques to North Korea's Lazarus Group, including uploading DLLs through fake websites and LinkedIn profiles. This may indicate either attempts to obfuscate the investigation or an exchange of tools between the groups.
Attackers use multi-stage attacks using phishing emails disguised as work documents and ZIP archives with malicious code. They also use GitHub to hide C&C servers, which allows them to mask traffic and bypass protection.
Thus, cybercriminals are increasingly using tricks, copying each other's methods and blurring the boundaries between attacks of different countries. This resembles a rule that is perfectly applicable to the information security sphere, among other things: trust, but verify, especially if the offer looks too tempting.
Source
The Iranian hacking group TA455 has been using tactics similar to those of the North Korean Lazarus Group to attack the aerospace industry, offering fake jobs since September 2023. According to the Israeli company ClearSky, the attackers are spreading the SnailResin malware, which activates the SlugResin backdoor.
TA455, also known as UNC1549 and Yellow Dev 13, is a subdivision of APT35, known by various names – Charming Kitten, CharmingCypress, ITG18, and others. The group is believed to be affiliated with the Islamic Revolutionary Guard Corps (IRGC).
Since the beginning of 2023, the TA455 has targeted the aerospace and defense industries in Middle Eastern countries such as Israel, the UAE, and Turkey. The attacks are based on social engineering using fake job offers to inject MINIBIKE and MINIBUS backdoors. Proofpoint reports that attackers often use fake companies to contact victims.
As it turns out, TA455 has used similar tricks in the past, posing as recruiters on social media, including fake AI-generated photos and mimicking existing people. This was described in detail in the report by PwC.
ClearSky notes that TA455 uses similar techniques to North Korea's Lazarus Group, including uploading DLLs through fake websites and LinkedIn profiles. This may indicate either attempts to obfuscate the investigation or an exchange of tools between the groups.
Attackers use multi-stage attacks using phishing emails disguised as work documents and ZIP archives with malicious code. They also use GitHub to hide C&C servers, which allows them to mask traffic and bypass protection.
Thus, cybercriminals are increasingly using tricks, copying each other's methods and blurring the boundaries between attacks of different countries. This resembles a rule that is perfectly applicable to the information security sphere, among other things: trust, but verify, especially if the offer looks too tempting.
Source
