Skip to content

Iran uses fake job offers to hack aerospace targets in Israel, Turkey, UAE

  • by
  • 3 min read

An extensive cyber-espionage operation targeting the global aerospace, defence, and aviation industries in Israel, the UAE, Turkey, and Albania through a scheme known as the ‘Dream Job’ campaign. Orchestrated by an advanced Iranian threat group, TA455 — an affiliate of the notorious ‘Charming Kitten’ (aka APT35 and Smoke Sandstorm) — the campaign employs sophisticated social engineering tactics, posing as job recruiters to lure high-value targets.

The campaign’s modus operandi involves creating fake recruiter profiles on LinkedIn and job sites, offering prestigious-sounding positions in the aerospace and defence sectors to appeal to potential victims. Once a victim is interested, they are tricked into downloading files containing the malware SnailResin, which grants attackers access to their systems.

Using a DLL side-loading technique, TA455 can execute malicious code under the guise of trusted applications, making detection significantly more challenging. Once activated, SnailResin enables access to the victim’s data and collects critical information, including IP addresses and system details, to facilitate a staged infiltration process.

A sample of the fake job phishing page. | Source: ClearSky

In addition, TA455’s phishing strategy has been carefully crafted to target highly specialised professionals. Fake LinkedIn profiles tied to non-existent companies, such as ‘Careers 2 Find,’ have been created to legitimise these fictitious recruiters. The profiles use tactics to bypass initial suspicion, adding credibility to the job offers that ultimately deliver the malicious ZIP files.

Notably, the malware inside these files has been designed to evade antivirus detection — only five antivirus programs flagged it as dangerous, with some even misidentifying it as North Korean malware from the Kimsuky group.

To evade detection, TA455 has taken great care to mask its infrastructure by embedding its malware distribution within legitimate online services like GitHub and Cloudflare. By using platforms such as GitHub to host C2 servers, TA455 obscures its communications, embedding these addresses in otherwise unremarkable text files. This technique not only conceals the attacker’s infrastructure but also makes it difficult for cybersecurity teams to distinguish between legitimate and malicious activity.

Profile of a fake recruiter on LinkedIn. | Source: ClearSky

Furthermore, TA455 uses Cloudflare to hide the actual location of its servers. One of the malicious domains identified, careers2find[.]com, hosted the SnailResin malware disguised as a job offer ZIP file. The domain was registered just four months before the malware’s deployment, suggesting that TA455 meticulously plans each attack and frequently rotates its infrastructure to avoid detection.

Further investigation revealed that the attacker used encoded communications to transmit sensitive C2 server data back to Iran while obscuring their tracks by alternating IP addresses and domains. This multi-stage infection chain begins with a spear-phishing email containing malicious job-related files, such as a PDF file that provides ‘safe browsing’ instructions to encourage the victim to open the infected attachment.

Experts recommend including heightened vigilance in digital recruiting practices, staff training on recognising phishing attempts and deploying enhanced security around LinkedIn and job recruitment platforms.

In the News: New PowerShell malware attack uses Chisel for network infiltration

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>