LinkedIn Becomes a Cybercriminal Playground: Iranian Hackers Target Aerospace Industry
Cybercriminals are increasingly exploiting LinkedIn as a hunting ground for cyber espionage, with Iranian hackers using fake job offers to target professionals in the aerospace industry, according to ClearSky Cyber Security
Iranian “Dream Job” Campaign Exposed
ClearSky researchers have uncovered a cyber-espionage campaign dubbed the “Iranian Dream Job” campaign, orchestrated by Iranian threat actor TA455. The attackers used fraudulent LinkedIn profiles to distribute SnailResin malware, which subsequently deploys the SlugResin backdoor. Both malware strains are attributed to a subgroup of Charming Kitten, a known Iranian APT group. However, some cybersecurity firms have detected malware signatures associated with North Korea’s Kimsuky/Lazarus APT group.
The similarities in attack techniques, malware strains, and social engineering tactics suggest that either Charming Kitten is impersonating Lazarus to obfuscate its activities, or there is potential collaboration between Iranian and North Korean cyber threat actors.
How the Attack Works
The campaign, active since at least September 2023, operates as follows:
Fake Recruiters on LinkedIn: Attackers create fake LinkedIn profiles and impersonate recruiters from bogus companies like “Careers 2 Find.”
Malicious Job Application Files: Victims are lured into downloading a ZIP file containing disguised malware from a fraudulent job site.
Social Engineering Tactics: To avoid suspicion, victims receive a PDF with detailed instructions on how to “safely” access the job offer.
DLL Side-Loading Attack: When the victim opens the ZIP file, an EXE file executes the malicious secur32[.]dll file, allowing the malware to establish a backdoor connection.
Data Exfiltration via GitHub: The malware checks the victim’s IP address and retrieves C&C (Command and Control) server details from a GitHub repository.
Global Espionage Operations
Previous reports by Mandiant have linked Iranian espionage activities to attacks targeting aerospace, defence, and aviation industries in the Middle East, Turkey, India, and Albania. The LinkedIn profiles exposed in this latest campaign appear to be revamped versions of fake recruiter profiles previously identified by Mandiant, indicating an ongoing, evolving operation.
Staying Safe on LinkedIn
Cyber professionals and job seekers should remain vigilant against unsolicited job offers on LinkedIn. ClearSky advises users to:
Verify Recruiter Identities before engaging.
Avoid Downloading Unknown Files from unfamiliar sources.
Be Sceptical of Overly Generous Offers that seem too good to be true.
Use Advanced Endpoint Security to detect malicious file execution.
For a detailed breakdown of this campaign, read the full report by ClearSky Cyber Security
