# Iranian “Dream Job” campaign 


Ver 1.1
11/24


Copyright © 2024, ClearSky Cyber Security Ltd (“ClearSky”). All Rights Reserved.
[TLP: Clear         www.clearskysec.com](http://www.clearskysec.com/)


-----

## Contents
Executive Summary ......................................................................................................................... 2

Techniques Employed by TA455 for Evading Detection .................................................................. 4

Technical Analysis ............................................................................................................................ 6

Infrastructure analysis ................................................................................................................... 10

TTPs used by TA455 in the Iranian "Dream Job" Campaign .......................................................... 12

Indicators Of Compromise: ........................................................................................................... 14

Copyright © 2024, ClearSky Cyber Security Ltd (“ClearSky”). All Rights Reserved.
TLP Cl l k | P


-----

# Iranian Dream Job campaign

## Executive Summary

ClearSky Cyber Security has uncovered the infrastructure of an Iranian campaign targeting the

aerospace industry by distributing the SnailResin malware via a scheme of a “dream job” offering,
AKA the Iranian “Dream Job” campaign.

“Dream Job” is a campaign in which the adversary manipulates the targets by offering them a

"dream job", mainly to employees in aerospace, aviation, and defense.

Clear Sky Security uncovered[1] in August 2020 the first "Dream Job" campaign, run by North
Korean Lazarus Group.

[https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf](https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf)

We attribute the current "Dream Job" campaign to TA455, a subgroup of the Iranian threat actor

"Charming Kitten". In the campaign, we discovered a file containing the SnailResin malware.

Both SlugResin and SnailResin were attributed by Microsoft to a subgroup of charming kitten
(also known as APT35 and Smoke Sandstorm[1]). Our investigation revealed that the malware is
downloaded from a domain that impersonates a job recruiting website (recurring theme for the

adversary), through which the recruiter's LinkedIn profile is revealed. The adversary appears to
be using the same profile as in previous attacks.

Malware files were detected as Kimsuky/Lazarus APT groups by antivirus engines in a few cases

instead of Charming Kitten.

We found significant similarities between the North Korean Lazarus APT Group and Charming
Kitten attacks. There are several similarities between these two threat actors, including the use
of the "Dream Job" luring campaign, the attack technique, and the use of several malware files

to deploy malware through DLL Side Loading attacks.

The following conclusions can be drawn as a result:

- Charming Kitten impersonated the North Korean campaign to conceal their activities.

1 [security.microsoft.com/intel-explorer/articles/39a136d2?tid=ba71bfaa-87f8-4029-af04-f4eb1aa171f2](http://security.microsoft.com/intel-explorer/articles/39a136d2?tid=ba71bfaa-87f8-4029-af04-f4eb1aa171f2)

Copyright © 2024, ClearSky Cyber Security Ltd (“ClearSky”). All Rights Reserved.
TLP Cl l k 2 | P


-----

- North Korea shared with Iran their attack methods and tools, hence similarity in attack

scenario and detection.

Iran's "Dream Job" campaign has been active since at least September 2023, constantly
changing its infrastructure and malware. Mandiant published an article in February 2024 about
"suspected Iranian espionage activity targeting the Middle East aerospace, aviation, and defense
industries, especially in Israel and the United Arab Emirates (UAE), as well as possibly Turkey,
India, and Albania.[2]

LinkedIn profiles of the "recruiters" identified in the current campaign are "newer versions" of
those previously reported by Mandiant.

One profile we discovered was associated with a fake company called "Careers 2 Find" which
previously worked for "1st Employer", a fake recruiting website highlighted by Mandiant in
February.

TA455, also known as Smoke Sandstorm, BOHRIUM and Yellow Dev13, is a subgroup of Iranian

threat actor Charming Kitten (APT35). TA455 targets organizations in Israel using double attack
scenarios (two scenarios in one attack, one malicious and one for camouflage), DLL search order

hijacking and masquerading as recruiters for companies, to target company employees with
spear-phishing.

Charming Kitten also known as APT35, is an Iranian Advanced Persistent Threat (APT) group active
in targeting various sectors for many years, especially focusing on governmental and military

sectors. Charming Kitten frequently uses multi-stage infection chains designed to steal sensitive
data and facilitate remote access for further exploitation.

In recent campaigns, Charming Kitten has leveraged social engineering tactics, primarily

through phishing, to lure victims. This group is reportedly leveraging high-level obfuscation and

custom malicious code to evade detection while delivering these payloads. Their methods align

closely with command-and-control operations, which allow them to manage and exfiltrate data
from compromised networks effectively. Charming Kitten’s focus in 2024 has intensified in
Eastern Europe and Israel, likely influenced by the ongoing geopolitical tensions surrounding

Iran’s alliances and interests, particularly against entities perceived as oppositional to Iranian
geopolitical aims.

2 [cloud.google.com/blog/topics/threat-intelligence/suspected-iranian-unc1549-targets-israel-middle-east/](http://cloud.google.com/blog/topics/threat-intelligence/suspected-iranian-unc1549-targets-israel-middle-east/)

Copyright © 2024, ClearSky Cyber Security Ltd (“ClearSky”). All Rights Reserved.
TLP Cl l k 3 | P


-----

The group’s technical sophistication is moderate to high, using both established RATs and
complex, custom-built malware.

The group's infrastructure and campaign characteristics bear resemblance to previous Iranian
state-backed campaigns but have adapted to bypass current security measures, with significant

use of evasive techniques to ensure persistence within targeted networks. This ongoing threat
has led cybersecurity firms to increase monitoring and mitigation efforts, specifically in sectors

most affected by Charming Kitten's activities, such as governmental, military, and critical

infrastructure organizations.

## Techniques Employed by TA455 for Evading Detection 

1. Impersonating Other Threat Actors: TA455 intentionally attempts to mislead investigators by

mimicking the tactics and tools of other threat actors, specifically the North Korean Lazarus
group. This includes utilizing similar "Dream Job" lures, attack techniques, and even malware

files that overlap with those used by Lazarus in DLL side-loading attacks. This deliberate

misattribution aims to create confusion and hinder accurate attribution efforts.

2. Leveraging Legitimate Services: To conceal their infrastructure and C2 communications,

TA455 hides within the traffic of legitimate online services like Cloudflare, GitHub and

Microsoft Azure cloud. Using Cloudflare for their malicious domains like "careers2find[.]com"
helps to mask the true server location and ownership, making it harder to track their
operations. Similarly, they exploit GitHub to host encoded C2 server information, retrieving it

through seemingly innocuous accounts like "msdnedgesupport". This blending with
legitimate traffic allows them to maintain a low profile and avoid raising red flags for security

systems.

3. Multi-Stage Infection Process: TA455 uses a carefully designed multi-stage infection process

to increase their chances of success while minimizing detection. The initial spearphishing

emails likely contain malicious attachments disguised as job-related documents, which are
further concealed within ZIP files containing a mix of legitimate and malicious files. This

layered approach aims to bypass security scans and trick victims into executing the
malware. Once executed, the malware performs various actions in stages, like checking the

victim's IP address and retrieving C2 server information from compromised GitHub
accounts, making it harder to detect and analyze the full scope of the attack.

Copyright © 2024, ClearSky Cyber Security Ltd (“ClearSky”). All Rights Reserved.
TLP Cl l k | P


-----

4. Exploiting Trust and Professional Networks: By leveraging LinkedIn, a platform inherently

built on trust and professional connections, TA455 seeks to gain credibility and avoid raising

suspicion. Their use of fake recruiter profiles associated with fabricated companies further
strengthens the deception and makes it more likely for victims to engage with their

malicious links and attachments. This exploitation of a trusted platform allows them to
bypass traditional security measures that might flag suspicious emails or websites.

5. Constant Evolution of Infrastructure and Malware: TA455 continuously modifies its

infrastructure and malware, making it harder for security researchers and tools to keep up.
Their constant adaptation, evidenced by changing domains, IP addresses, and malware

variants, forces defenders to constantly update their defenses and makes it challenging to
establish consistent detection patterns.

6. Low Antivirus Detection Rates: The malicious ZIP file used in the campaign was only flagged

as malicious by five antivirus engines, with a primary misattribution to the North Korean

Kimsuky group. This low detection rate highlights their ability to craft malware that evades
traditional signature-based detection methods. This could be achieved through various

techniques like obfuscation, encryption, or the use of one-day exploits.

7. High-Level Obfuscation and Custom Code: TA455's use of advanced obfuscation techniques

and custom-built malware, designed specifically to evade detection. By employing

sophisticated methods to conceal their malicious code, they can bypass security tools that
rely on identifying known malware signatures or behaviors. This demonstrates a moderate
to high level of technical sophistication and a commitment to staying ahead of security

defenses

8. Target Specificity: The "Dream Job" campaign consistently targets the aerospace, aviation,

and defense industries. This suggests a strategic interest in acquiring sensitive information
and potentially disrupting operations within these critical sectors. The focus on these

industries aligns with Iran's geopolitical interests and its history of cyber espionage activities
targeting entities perceived as adversaries.

9. Persistence and Evolution: the Iranian "Dream Job" campaign has been active since at least

September 2023, indicating a persistent effort by TA455. The constant changes in
infrastructure and malware demonstrate their adaptability and commitment to staying

ahead of security measures. This highlights the need for ongoing vigilance and proactive
defense strategies.

Copyright © 2024, ClearSky Cyber Security Ltd (“ClearSky”). All Rights Reserved.
TLP Cl l k | P


-----

## Technical Analysis

Main malicious file in the campaign - SignedConnection[.]zip
On October 29th, 2024, a registered user from the US uploaded the ZIP file, followed by an
unregistered user from the US. There are five engines that flag the file as malicious, with the
main attribution to North Korean Kimsuky (a recurring misattribution in adversary attacks).

File name: SignedConnection[.]zip
File type: ZIP
Md5: bb4c8f42cc624c628e4b98bd43f29fa6
Sha1: 3a0b3426f4a2f85e0c82b2804aab7f5d5bb63fb7
Sha256: bf308e5c91bcd04473126de716e3e668cac6cb1ac9c301132d61845a6d4cb362

The ZIP file is downloaded ITW from the domain: careers2find[.]com .

The Domain careers2find[.]com was created four months ago, hiding it’s real IP under Cloudflare
service.

A job offer in the aerospace industry was found on the Iranian threat actor's "recruitment" site. In
the past, this sector has been targeted by the actor.

Copyright © 2024, ClearSky Cyber Security Ltd (“ClearSky”). All Rights Reserved.
TLP Cl l k 6 | P


-----

From the campaign's website, a job posting for the aerospace industry.

A PDF instruction file (see image below) is also downloaded from the same website
careers2find[.]com with instructions on how to "safely" access the website. It is designed to
ensure infection.

Copyright © 2024, ClearSky Cyber Security Ltd (“ClearSky”). All Rights Reserved.
TLP Cl l k | P


-----

Several files, including legitimate ones, are included in the downloaded ZIP file. Clicking the
highlighted EXE file displays the following GUI:

Most of the ZIP files were added to it on October 15[th], 2024.

The following actions occur when the EXE file is executed:

  - The malicious file secur32[.]dll is loaded by DLL side loading (there is a legitimate file

with the same name, but the one in question is malicious).

  - The IP address of the victim computer is checked by the website api[.]ipify[.]org.

  - Accessing the GitHub account msdnedgesupport to download information:

[https://]raw.ghubusercontent.com/msdnedgesupport/msdn/main/README.html

Downloaded information is ASCII encoded and looks like this:

Copyright © 2024, ClearSky Cyber Security Ltd (“ClearSky”). All Rights Reserved.
TLP Cl l k 8 | P


-----

After deleting the # characters and converting the numbers to characters using ASCII table, the C2
server address is revealed: xboxapicenter[.]com .

This domain resolves to "Stark Industries” IP address: 89.221.225[.]249 .

The actor previously used a fake XBOX domain:

During execution simulation, Proofpoint EDR identified the domain xboxapicenter[.]com as
belonging to threat actor TA455.

## Revealing the "recruiters" fake identities

Recent searches on Careers2Find revealed a LinkedIn profile that had served as a threat actor's
recruiter in the past; however, the domain was only created four months ago.

Copyright © 2024, ClearSky Cyber Security Ltd (“ClearSky”). All Rights Reserved.
TLP Cl l k 9 | P


-----

The following profiles were also detected claiming to be recruiters for this company:

## Infrastructure analysis

Examining the digital certificates linked to IP address 89[.]221.225.249, resolved by domain
xboxapicenter[.]com, yielded a second certificate linked to 20 more IP addresses of the same

range: 89[.]221.225.0/24, as well as two other IP addresses from the range 77[.]91.74.0/24 (from
the same AS).

Although the certificate was issued before the C2 server domain was established, it was also
linked to the above IP address. The addresses associated with this certificate are consecutive

within the range. This certificate is associated with additional addresses attributed to an Iranian
adversary with low confidence according to ClearSky.

Copyright © 2024, ClearSky Cyber Security Ltd (“ClearSky”). All Rights Reserved.
TLP Cl l k 0 | P


-----

Certificate details:
Common name:
Subject: localhost
Issuer: localhost
SHA1: 21b0327e7ccb36d9ba00359e078acaa9a2320c83
Serial number: 84540175500579177624119799943918273904002380806

Domain careers2find[.]com, attributed to the threat actor, resolved to a unique IP address of an

ASN rarely used by Iranian threat actors prior to its resolution to Cloudflare IP addresses:

IP AS \ ASN Registrant

185[.]186.244.130 Webzilla B.V. \ 35415 Hostry Inc. and Inxy

As this is a unique IP address resolved to by a domain attributed to the threat actor prior to its
transfer to Cloudflare service, ClearSky attributes it to the threat actor with high confidence.

Copyright © 2024, ClearSky Cyber Security Ltd (“ClearSky”). All Rights Reserved.
TLP Cl l k | P

|IP|AS \ ASN|Registrant|
|---|---|---|
|185[.]186.244.130|Webzilla B.V. \ 35415|Hostry Inc. and Inxy|


-----

## TTPs used by TA455 in the Iranian "Dream Job" Campaign

TTP Description Insights MITRE ATT&CK

Initial Spearphishing via TA455 leverages the trust and T1566.001:
Access LinkedIn professional networking nature of Spearphishing

LinkedIn to approach targets with Attachment.
seemingly legitimate job offers. This T1566.002:
method increases the likelihood of Spearphishing Link
victims opening malicious
attachments or clicking on links
leading to compromised websites.

Execution DLL Side-Loading By utilizing DLL side-loading, TA455 T1574.002: DLL Sideexploits the Windows operating Loading
system's DLL search order to load a
malicious DLL instead of the
legitimate one. This technique allows
them to execute malicious code
within the context of a trusted
process, making it harder to detect.

Discovery IP Address Determining the victim's IP address is T1592: Gather Victim
Discovery crucial for the attackers to assess the Host Information

target's location and potentially tailor
their attacks based on geographic
region or organizational affiliation.
TA455 utilizes the website
api[.]ipify[.]org for this purpose.

Copyright © 2024, ClearSky Cyber Security Ltd (“ClearSky”). All Rights Reserved.
TLP Cl l k 2 | P

|TTP|Description|Insights|MITRE ATT&CK|
|---|---|---|---|
|Initial Access|Spearphishing via LinkedIn|TA455 leverages the trust and professional networking nature of LinkedIn to approach targets with seemingly legitimate job offers. This method increases the likelihood of victims opening malicious attachments or clicking on links leading to compromised websites.|T1566.001: Spearphishing Attachment. T1566.002: Spearphishing Link|
|Execution|DLL Side-Loading|By utilizing DLL side-loading, TA455 exploits the Windows operating system's DLL search order to load a malicious DLL instead of the legitimate one. This technique allows them to execute malicious code within the context of a trusted process, making it harder to detect.|T1574.002: DLL Side- Loading|
|Discovery|IP Address Discovery|Determining the victim's IP address is crucial for the attackers to assess the target's location and potentially tailor their attacks based on geographic region or organizational affiliation. TA455 utilizes the website api[.]ipify[.]org for this purpose.|T1592: Gather Victim Host Information|


-----

|Command and Control|The use of GitHub for hosting the C2 domain.|TA455 employs GitHub as a covert communication channel for their C&C infrastructure. By encoding the C&C server address within seemingly innocuous files on a GitHub repository, they can retrieve it while blending in with legitimate users, making detection more difficult.|T1102.001: Web Service: Dead Drop Resolver: GitHub|
|---|---|---|---|
|Defense Evasion|Impersonation of Other Threat Actors|TA455 deliberately mimics tactics and tools associated with North Korean Lazarus APT Group, creating intentional misattribution in an attempt to deflect blame and complicate investigations. The frequent detection of their malware as Kimsuky further reinforces this tactic. In the attack, legitimate file names are used as the malicious payload to facilitate DLL Side Loading.|T1036.005: Masquerading: Match Legitimate Name or Location|
|Defense Evasion|Obfuscation and Evasive Code|TA455 incorporates advanced obfuscation techniques and utilizes custom malicious code to evade detection by traditional security solutions. This includes multi-stage infection chains and reliance on legitimate services like Cloudflare to mask their infrastructure.|T1027: Obfuscated Files or Information|
|Collection|Exfiltration over C2 Channel|TA455 uses its established C2 channel, facilitated through GitHub and encoded communication, to exfiltrate collected data from compromised systems.|T1041: Exfiltration Over C2 Channel|


Copyright © 2024, ClearSky Cyber Security Ltd (“ClearSky”). All Rights Reserved.
TLP Cl l k 3 | P


-----

## Indicators Of Compromise:

Files (SHA-1):
2a29ba7302024ec1255811abec2a532136d12fef
3a0b3426f4a2f85e0c82b2804aab7f5d5bb63fb7
1acd34fb6de5c645e03ded9875046979be7893c4
2e7fc6d63ce16075a3fe3584e03be24a9bc220e1
aa5fcea406edd406bd6e0a23e83beebe2b3582d1
c52beb64f7450fce923d15efaa1e5be4c0e43d2b


Network:


careers2find.com


xboxapicenter.com


hxxps[://]raw[.]githubusercontent[.]com/msdnedgesupport


hxxps[://]github[.]com/msdnedgesupport


185[.]186[.]244[.]130


89[.]221[.]225[.]249

77[.]91[.]74[.]171 (low probability)

77[.]91[.]74[.]186 (low probability)


89[.]221[.]225[.]235 (low probability)

89[.]221[.]225[.]246 (low probability)

89[.]221[.]225[.]245 (low probability)

89[.]221[.]225[.]234 (low probability)

89[.]221[.]225[.]248 (low probability)

89[.]221[.]225[.]237 (low probability)

89[.]221[.]225[.]236 (low probability)

89[.]221[.]225[.]247 (low probability)

89[.]221[.]225[.]239 (low probability)

89[.]221[.]225[.]238 (low probability)

Copyright © 2024, ClearSky Cyber Security Ltd (“ClearSky”). All Rights Reserved.
TLP Cl l k | P


-----

89[.]221[.]225[.]240 (low probability)

89[.]221[.]225[.]242 (low probability)

89[.]221[.]225[.]231 (low probability)

89[.]221[.]225[.]230 (low probability)

89[.]221[.]225[.]241 (low probability)

89[.]221[.]225[.]244 (low probability)

89[.]221[.]225[.]233 (low probability)

89[.]221[.]225[.]232 (low probability)

89[.]221[.]225[.]243 (low probability)

Copyright © 2024, ClearSky Cyber Security Ltd (“ClearSky”). All Rights Reserved.
TLP Cl l k | P


-----