Iranian hackers have been targeting aerospace employees with malicious “dream job” offers since at least September 2023. The campaign, dubbed “Iranian Dream Job” by Israeli cybersecurity firm ClearSky, aims to compromise workers in the aerospace industry by impersonating job recruiters on LinkedIn. The attackers reach out to their targets via LinkedIn, then direct them to download files from a fake recruiting website.
The downloaded ZIP file, posing as the SignedConnection application, contains malware and an associated PDF instruction file guiding the target on what to do with it to ensure infection. The ZIP file contains several legitimate files and a malicious executable named SignedConnection.exe. When executed, a malicious DLL file is side-loaded, establishing a connection to a command-and-control (C2) server.
The ultimate goal is to distribute and activate the SlugResin backdoor, which allows threat actors to access a compromised device at will. “By leveraging LinkedIn, a platform inherently built on trust and professional connections, TA455 seeks to gain credibility and avoid raising suspicion. Their use of fake recruiter profiles associated with fabricated companies further strengthens the deception and makes it more likely for victims to engage with their malicious links and attachments,” ClearSky researchers noted.
Aerospace employees targeted by hackers
“Dream Job” campaigns are not a new occurrence. North Korean state-sponsored hackers have been known for using similar tactics for several years.
Iranian threat actors have also adopted this method. Due to the attack infrastructure used, this latest campaign has been attributed to TA455, a subgroup of Charming Kitten, an Iranian APT group known for targeting governmental and military sectors. “TA455 intentionally attempts to mislead investigators by mimicking the tactics and tools of other threat actors, specifically the North Korean Lazarus group.
This includes utilizing similar ‘Dream Job’ lures, attack techniques, and even malware files that overlap with those used by Lazarus in DLL side-loading attacks. This deliberate misattribution aims to create confusion and hinder accurate attribution efforts,” the researchers explained. It’s also possible that with the same goal in mind, North Korea has intentionally shared attack methods and tools with Iran, they added.
Aerospace employees and others in high-value industries need to remain vigilant against phishing attempts and suspicious job offers on platforms like LinkedIn. Utilizing trusted security measures and staying informed about the latest cybersecurity trends can help defend against such sophisticated threats.