Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific

Iranian Cybercriminals Target Aerospace Workers via LinkedIn

The group seeks out aerospace professionals by impersonating job recruiters — a demographic it has targeted in the past as well — then deploys the SlugResin backdoor malware.

Dark Reading Staff, Dark Reading

November 13, 2024

2 Min Read
A person's finger about to click on the LinkedIn app on a phone
Source: Iain Masterton via Alamy Stock Photo

A phishing campaign, active since last September, is targeting users on LinkedIn and other platforms by impersonating job recruiters in the aerospace industry.

ClearSky attributed the campaign to Iranian-linked threat actor TA455, which uses a spear-phishing approach to target and lure individuals. Once connected with its victims, the threat actors encourage them to download a zip file called "SIgnedConnection.zip."

Along with this, the threat actors also provide a PDF guide to their victims to instruct them on how to safely download and open the zip files.

The zip file contains an executable file that loads the malware onto the victim's device through DLL side-loading. A DLL file called "secure32[.]dll" is loaded onto their system, allowing the attacker access to run an undetected code.

Once this is done, the malware initiates an infection chain, which ultimately deploys Snail Resin malware, opening a backdoor titled "SlugResin." This malware and backdoor are both attributed to Charming Kitten, another Iranian threat actor, according to researchers at ClearSky.

The group uses several methods to evade detection, including encoding command-and-control (C2) communications on GitHub to make it more difficult for traditional detection tools to recognize that it's a threat, and it mimics tactics associated with Lazarus Group, causing complications in attribution.

Like past campaigns, TA455 is targeting aerospace professionals, so individuals in this field on platforms such as LinkedIn should be wary of messages and connections they receive from unknown sources.

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

About the Author

Dark Reading Staff

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

See more from Dark Reading Staff
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe

You May Also Like

More Insights
Webinars
More Webinars
Events
More Events

Editor's Choice

IT security cybersecurity workers
Vulnerabilities & Threats
Has the Cybersecurity Workforce Peaked?Has the Cybersecurity Workforce Peaked?
byRobert Lemos, Contributing Writer
Nov 7, 2024
7 Min Read
Cloud with lock in center, blue background
Application Security
Sloppy Entra ID Credentials Attract Hybrid Cloud RansomwareSloppy Entra ID Credentials Attract Hybrid Cloud Ransomware
byBecky Bracken, Senior Editor, Dark Reading
Sep 30, 2024
5 Min Read
Woman with her hand hovering over a laptop keyboard in front of a screen display of a mailbox icon with a red danger circle
Threat Intelligence
Flexible Structure of Zip Archives Exploited to Hide Malware UndetectedFlexible Structure of Zip Archives Exploited to Hide Malware
byElizabeth Montalbano, Contributing Writer
Nov 11, 2024
5 Min Read
Reports
More Reports
Webinars
More Webinars
White Papers
More Whitepapers
Events
More Events