An investigation has revealed details of an Iranian social engineering campaign using fraudulent LinkedIn identities to trick victims into downloading malware with fake job offers.
Clear Sky Security recently published information on the infrastructure and techniques employed in a threat campaign using a ‘dream job’ scam to target the jobseekers in the aerospace industry.
The attack has been attributed to TA455, which Clear Sky described as a subgroup of the Iranian threat actor dubbed ‘Charming Kitten’, also tracked under the names Smoke Sandstorm and APT35.
According to the report, TA455 has been using the allure of a job in the highly competitive aerospace industry to distribute the SnailResin malware, with the group using LinkedIn to approach targets with seemingly legitimate job offers.
Once the victim has been lured in, the attackers use spear phishing emails that Clear Sky likely contain malicious attachments disguised as application documents, hidden among legitimate files in a ZIP archive, and designed to fly under the radar of security scans and antivirus software.
Once executed, the malware checks the victim’s IP address and retrieves C2 server information from a series of compromised GitHub accounts, which Clear Sky noted makes it harder to detect and analyze the full scope of the attack.
Researchers highlighted a series of techniques leveraged by TA455 to evade detection, such as impersonating other threat actors, specifically the North Koran Lazarus Group, also known for perpetrating fake job scams.
The campaign used a number of legitimate services such as Cloudflare, GitHub, and Microsoft Azure to conceal their infrastructure and C2 communications, and use high-level obfuscation techniques and custom code to bypass security tools.
LinkedIn gives the ‘dream job’ scams credibility
This campaign has been active since at least September 2023, according to Clear Sky, citing a threat intelligence report on the campaign from Mandiant published in February 2024
Mandiant warned earlier this year that an Iranian group was targeting the aerospace, aviation, and defense industries in Middle East countries, including Israel, the UAE, and potentially Turkey, India, and Albania.
Clerk Sky uncovered what it claims to be the first ‘dream job’ campaign in August 2022, orchestrated by the North Korean Lazarus group.
The report stated it saw significant similarities between the two campaigns, such as the deployment of malware through DLL sideloading attacks, speculating that North Korea had shared its attack methods and tools with the Iranian threat actor.
Presenting new threat intelligence at CYBERWARCON in Arlington, Virginia, Microsoft revealed that North Korean threat actors had stolen over $10 million in cryptocurrency through social engineering attacks, many of which used LinkedIn to reach out to victims.
By approaching targets on seemingly authentic LinkedIn accounts, researchers said the group increases the likelihood of victims opening malicious attachments or clicking on links leading to compromised websites.
“By leveraging LinkedIn, a platform inherently built on trust and professional connections, TA455 seeks to gain credibility and avoid raising suspicion,” the report explained.
“Their use of fake recruiter profiles associated with fabricated companies further strengthens the deception and makes it more likely for victims to engage with their malicious links and attachments. This exploitation of a trusted platform allows them to bypass traditional security measures that might flag suspicious emails or websites.”