Hackers Target Aerospace With Fake Job Offers and Hidden Malware

A recent cyber campaign, known as the “Iranian Dream Job” campaign, is targeting employees in the aerospace, aviation, and defense sectors by promising attractive job offers.

Cybersecurity firm ClearSky revealed that this campaign is the work of a group linked to the Iranian hacking organization known as “Charming Kitten” (also referred to as APT35).

The campaign aims to infiltrate targeted companies and steal sensitive information by tricking individuals into downloading malicious software disguised as job-related materials.

ClearSky says that the “Dream Job” scam involves fake recruiter profiles on LinkedIn, often using bogus companies to lure victims into downloading malware. The malware in question, called SnailResin, infects the victim’s computer, enabling the hackers to gather confidential data and monitor activities within the network.

ClearSky notes that these hackers have refined their techniques, such as using genuine cloud services like Cloudflare and GitHub to hide malicious links, making detection challenging.

Interestingly, the Iranian hackers have adopted tactics from North Korea‘s Lazarus Group, who pioneered the “Dream Job” scam back in 2020. By mirroring Lazarus’ approach, Iranian hackers mislead investigators, making it harder to trace the attacks back to them.

ClearSky explains that the attack uses a method called DLL side-loading, which allows malware to infiltrate a computer by posing as a legitimate software file. This technique, along with the use of encrypted files and complex coding, helps the hackers bypass common security measures.

According to ClearSky, the malware successfully evades many antivirus programs, with only a few security tools able to identify it. Since September 2023, Iran’s “Dream Job” campaign has adapted and evolved, regularly updating its tactics and malware to stay one step ahead of cybersecurity defenses, says ClearSky.

Major cybersecurity firms, including Mandiant, have detected its activity across various countries, especially in the Middle East, notes ClearSky. They highlight its persistence and sophistication, noting that the campaign’s structure changes frequently, making it a constant threat to the targeted industries.

ClearSky warns that organizations in aerospace, defense, and similar high-stakes sectors should stay vigilant and adopt proactive measures to combat these types of attacks.

By educating employees about the risks of phishing and fake job offers and implementing robust security protocols, companies can help reduce vulnerability to these highly deceptive cyber threats.