November 13, 2024 at 03:36PM
A phishing campaign, attributed to Iranian threat actor TA455, targets aerospace professionals on LinkedIn by impersonating recruiters. Victims download a malicious zip file, leading to malware installation via DLL side-loading. The malware deploys Snail Resin and uses covert tactics to evade detection. Caution is advised for users in the aerospace sector.
**Meeting Takeaways:**
1. **Phishing Campaign Overview:**
– Active since September; targets users on LinkedIn and other platforms.
– Impersonates job recruiters in the aerospace industry.
2. **Threat Actor Identification:**
– Attributed to Iranian-linked threat actor TA455 utilizing spear-phishing techniques.
3. **Malicious File Strategy:**
– Victims are enticed to download a zip file named “SIgnedConnection.zip.”
– Accompanied by a PDF guide instructing safe download and opening procedures.
4. **Malware Deployment:**
– Zip file contains an executable that deploys malware via DLL side-loading.
– The DLL file “secure32[.]dll” facilitates undetected code execution.
5. **Infection Chain:**
– Leads to deployment of Snail Resin malware and a backdoor termed “SlugResin.”
– Both associated with another Iranian threat actor, Charming Kitten.
6. **Evasion Tactics:**
– Encoding of command-and-control (C2) communications on GitHub complicates detection.
– Tactics mimic those of Lazarus Group, increasing attribution difficulties.
7. **Target Audience:**
– Continued targeting of aerospace professionals; caution advised for LinkedIn users regarding unknown messages and connections.
8. **Upcoming Event:**
– Free Dark Reading Virtual Event on November 14 at 11 a.m. ET.
– Topics include MITRE ATT&CK, proactive security, incident response, featuring expert speakers.
– Registration encouraged.
Please ensure to share the above takeaways with all relevant stakeholders.