A complex phishing campaign attributed to the Iranian-linked threat actor TA455, has been observed using sophisticated techniques to impersonate job recruiters on LinkedIn and other platforms.
ClearSky Cyber Security released the report today, which outlines TA455’s methods, targets and infrastructure.
The campaign, active since at least September 2023, begins with a spear phishing approach in which TA455 lures individuals with fake job offers. Using LinkedIn to gain trust, the attackers prompt victims to download a ZIP file titled “SignedConnection.zip,” which was flagged as malicious by five antivirus engines.
This ZIP file contains an EXE file designed to load malware into the victim’s system through DLL side-loading, where a malicious DLL file called “secur32[.]dll” is loaded instead of a legitimate one, allowing the attacker to run undetected code within a trusted process.
Technical Analysis of the Malware and Infection Process
To increase the likelihood of infection, the attackers also provide a detailed PDF guide within the phishing materials. This guide instructs the victim on how to “safely” download and open the ZIP file, warning against actions that might prevent the attack from succeeding.
Once the ZIP file is accessed and the highlighted EXE file inside is executed, the malware initiates an infection chain. This process leads to the deployment of SnailResin malware, which then activates a secondary backdoor called SlugResin. ClearSky attributes both SnailResin and SlugResin to a subgroup of Charming Kitten, another Iranian threat actor.
Key details of the campaign include:
-
Malicious file: “SignedConnection.zip," detected as malicious
-
Primary targets: Aerospace professionals, a frequent focus of TA455’s past campaigns
-
Domains: Recently created and concealed domains like “careers2find[.]com” are used for distribution
The group further obscures its operations by encoding command-and-control (C2) communications on GitHub, a tactic that makes it difficult for traditional detection tools to recognize the threat. This GitHub-hosted C2 channel enables TA455 to retrieve data from compromised systems by blending malicious traffic with legitimate GitHub user activity.
Read more on spear phishing attacks: Hackers Exploit EU Agenda in Spear Phishing Campaigns
Attribution Challenges and Obfuscation Techniques
To complicate attribution, TA455 mimics tactics, names and file signatures associated with North Korea’s Lazarus Group. This intentional misattribution misleads investigators, resulting in frequent misidentification of TA455’s malware as North Korean Kimsuky malware.
Additional infrastructure analysis reveals that TA455 uses multiple IP addresses, with some links masked by Cloudflare, adding layers to obscure their digital trail. These IP addresses connect to Iranian hosting providers rarely linked to Iranian groups, which suggests a deliberate effort to evade tracking and detection.