Iranian hackers now leveraging NK’s ‘Dream Job’ campaign

Iranian state-sponsored cyber actors, often called Charming Kitten, have been observed targeting individuals in the aerospace industry with a ‘Dream Job’ campaign, a theme previously leveraged by North Korean hackers. According to cybersecurity researchers, the campaign has been ongoing since at least September 2023.

The targets are sent spearphishing emails that contain malicious attachments disguised as job-related documents, which are further hidden within ZIP files containing a mix of legitimate and malicious files.

The campaign also leverages fake recruiting websites and LinkedIn profiles with AI-generated content to distribute a ZIP archive, which, among other files, contains a trojan loader known as SnailResin which loads the SlugResin backdoor. SlugResin is capable of deploying additional malware, stealing credentials, escalating privileges, and enabling lateral movement to other devices on the network.

Be the first to know of emerging threats.

Sign up to get our analysts' insights on emerging cyberattacks, vulnerabilities, and more sent straight to your inbox.

Opt in

While the campaign is similar to those attributed to North Korean state-sponsored cyber actors, the Iranian campaign differs slightly in that it uses GitHub to encode the actual command-and-control server within a repository, which allows Charming Kitten to obscure their malicious operations by blending in with legitimate traffic.

Source: The Hacker News

Analysis

North Korea is well known for its use of job-themed campaigns targeting individuals across multiple industries. It appears that Iran has now jumped on the bandwagon to try its luck using the same technique. While Iran and North Korea have been known to cooperate in terms of technology sharing, training, and the exchange of cyber warfare expertise, it’s unclear if North Korea directly helped Iran facilitate these attacks, or simply inspired the home-grown Iranian operation.

While job-themed attacks on individuals working in areas of interest to Iran and North Korea have been a useful tactic, their effectiveness will likely decrease as potential targets become more aware and develop the ability to recognize these campaigns before they fall victim to them.

Mitigation

Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for threats from advanced cyber actors engaging in malicious activities, including Iranian state-sponsored actors. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the risk these groups pose.

Field Effect MDR users are automatically notified when various types of malicious activities are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Field Effect recommends scrutinizing unsolicited job application invites sent via email, message services such as WhatsApp, and social media. The individuals sending these invites could be fake, so always strive to verify the recruiter’s identity and association with the company they claim to represent. Generally, if an offer is too good to be true, it probably is.

Field Effect users are encouraged to submit suspicious emails, including job offers, to Field Effect’s Suspicious Email Analysis Service (SEAS) to ensure they are benign before clicking links or opening an attachment.

Related Articles

• Lazarus targets aerospace and energy job seekers
• North Korean hackers, posing as IT workers, extorting Western firms
• Lazarus tricks job seeking developers with malware-laced coding test
• Cybersecurity company accidentally hires North Korean threat actor