Iranian cyber espionage group TA455, also known as UNC1549 or Yellow Dev 13, has been actively targeting the aerospace, aviation, and defense industries since at least September 2023. The group, which operates under the auspices of Iran’s Islamic Revolutionary Guard Corps (IRGC), is known for employing sophisticated social engineering tactics to compromise high-profile organizations. Their latest campaign mimics the strategies of North Korea’s Lazarus Group, particularly in the use of fake job offers to lure victims into opening malicious attachments. These phishing attempts are carefully crafted to appear legitimate, using AI-generated personas and fraudulent LinkedIn profiles to engage targets.
The primary malware deployed in these attacks is SnailResin, which is distributed through malicious emails disguised as job-related documents. Once executed, SnailResin installs the SlugResin backdoor, an upgraded version of the BassBreaker backdoor. This backdoor allows the attackers to gain remote access to compromised machines, enabling them to steal credentials, escalate privileges, and move laterally within the network. The use of fake recruiting websites and the sideloading of a malicious DLL file, secur32.dll, further complicate detection efforts by security systems.
ClearSky, an Israeli cybersecurity firm, has linked these attacks to previous campaigns attributed to TA455, which have targeted various aerospace and defense sectors in the Middle East, including countries like Israel, the UAE, Turkey, India, and Albania. The threat actor’s use of social engineering tactics to disguise their activities is part of a broader trend of increasingly sophisticated cyber espionage operations. By impersonating recruiters and leveraging both legitimate and malicious files, the attackers are able to bypass security measures and ensure the success of their operations.
In addition to traditional malware delivery methods, TA455 has also used GitHub repositories to act as dead-drop resolvers for command-and-control servers, masking their communications in seemingly legitimate traffic. This multi-layered, multi-stage infection process is designed to evade detection while maximizing the potential for successful infiltration. As the threat actor continues to refine its tactics, organizations in sensitive sectors must remain vigilant against such advanced persistent threats and invest in robust security measures to detect and mitigate these complex attacks.