SnailResin Malware in Aerospace Attacks

The Iranian threat actor known as TA455 has been observed taking a leaf out of a North Korean hacking group's playbook to orchestrate its own version of the Dream Job campaign targeting the aerospace industry by offering fake jobs since at least September 2023.

"The campaign distributed the SnailResin malware, which activates the SlugResin backdoor," Israeli cybersecurity company ClearSky said in a Tuesday analysis.

TA455, also tracked by Google-owned Mandiant as UNC1549 and by PwC as Yellow Dev 13, is assessed to be a sub-cluster within APT35, which is known by the names CALANQUE, Charming Kitten, CharmingCypress, ITG18, Mint Sandstorm (formerly Phosphorus), Newscaster, TA453, and Yellow Garuda.

Cybersecurity

Affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC), the group is said to share tactical overlaps with clusters referred to as Smoke Sandstorm (previously Bohrium) and Crimson Sandstorm (previously Curium).

Earlier this February, the adversarial collective was attributed as behind a series of highly-targeted campaigns aimed at aerospace, aviation, and defense industries in the Middle East, including Israel, the U.A.E., Turkey, India, and Albania.

The attacks involve the use of social engineering tactics that employ job-related lures to deliver two backdoors dubbed MINIBIKE and MINIBUS. Enterprise security firm Proofpoint said it has also observed "TA455 use front companies to professionally engage with targets of interest via a Contact Us page or a sales request."

That said, this is not the first time the threat actor has leveraged job-themed decoys in its attack campaigns. In its "Cyber Threats 2022: A Year in Retrospect" report, PwC said it detected an espionage-motivated activity undertaken by TA455, wherein the attackers posed as recruiters for real or fictitious companies on various social media platforms.

"Yellow Dev 13 used a variety of artificial intelligence (AI)-generated photographs for its personas and impersonated at least one real individual for its operations," the company noted.

ClearSky said it identified several similarities between the two Dream Job campaigns conducted by the Lazarus Group and TA455, including the use of job opportunity lures and DLL side-loading to deploy malware.

This has raised the possibility that the latter is either deliberately copying the North Korean hacking group's tradecraft to confuse attribution efforts, or that there is some sort of tool sharing.

The attack chains make use of fake recruiting websites ("careers2find[.]com") and LinkedIn profiles to distribute a ZIP archive, which, among other files, contains an executable ("SignedConnection.exe") and a malicious DLL file ("secur32.dll") that's sideloaded when the EXE file is run.

Cybersecurity

The threat actors also provide a detailed PDF guide to their victims to instruct them on how to safely download the ZIP archive from the phony job posting site and launch the application.

According to Microsoft, secur32.dll is a trojan loader named SnailResin that's responsible for loading SlugResin, an updated version of the BassBreaker backdoor that grants remote access to a compromised machine, effectively allowing the threat actors to deploy additional malware, steal credentials, escalate privileges, and move laterally to other devices on the network.

The attacks are also characterized by the use of GitHub as a dead drop resolver by encoding the actual command-and-control server within a repository, thereby enabling the adversary to obscure their malicious operations and blend in with legitimate traffic.

"TA455 uses a carefully designed multi-stage infection process to increase their chances of success while minimizing detection," ClearSky said.

"The initial spear-phishing emails likely contain malicious attachments disguised as job-related documents, which are further concealed within ZIP files containing a mix of legitimate and malicious files. This layered approach aims to bypass security scans and trick victims into executing the malware."


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.