Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Iranian Group Targets Israeli Firms

ClearSky: Attackers Lure Victims With Fake Job Offers
Iranian Group Targets Israeli Firms

Researchers at cybersecurity firm ClearSky say an Iranian APT group, dubbed "Siamesekitten," is targeting Israeli companies in a supply chain attack campaign. The attackers are luring victims with fake job offer emails that direct recipients to websites that download malware.

See Also: OnDemand | Combatting Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

Siamesekitten, also known as Lyceum and Hexane, has been active since 2018. It has carried out at least two waves of attacks - in May and July - as part of the current campaign, ClearSky reports.

During its early days, the threat group focused its attacks on African countries, but it later shifted to targeting critical control systems of oil and gas companies in the Middle East and Asia. The latest attacks, however, appear to be aimed exclusively at IT and communications companies in Israel as part of an effort to facilitate broader supply chain attacks, the researchers say.

"The group's main goal is to conduct espionage and utilize the infected networks [of IT and communications firms] to gain access to their clients’ networks," ClearSky says. "As with other groups, it is possible that espionage and intelligence gathering are the first steps toward executing impersonation attacks targeting ransomware or wiper malware.”

Lured by Job Offers

In the recent phishing campaigns, the Siamesekitten group impersonated companies, such as ChipPc and Software AG, to make fake job offers, luring victims to open malicious documents that enable the attackers to download the DanBot RAT to the victim’s computer.

Researchers say the threat group “thoroughly researches the subject of impersonation,” and leverages social networks, such as LinkedIn, in these attacks.

The researchers described how a fake profile of a person claiming to be the human resources manager at ChipPc was used. The person, however, was a former employee who had worked for ChipPc in 2007, the researchers learned.

Fake LinkedIn profile (Source: ClearSky)

The threat group, researchers say, claims to offer jobs in HR, project management and sales in countries including Israel, France and the U.K.

XLS lure document (Source: ClearSky)

The researchers note how victims receive an attractive fake job offer via email, which directs them to a legitimate-looking impersonated website of a known company. Fake company files on the site, which purport to provide further job details, contain malware embedded in a password-protected Macros XLS document. If clicked on, the files download a backdoor using a malicious macro, establishing a connection between the infected machine and the attacker’s command-and-control server, which will eventually lead to the download of a RAT onto the victim's computer.

Impersonated ChipPc website (Source: ClearSky)

This form of intrusion initiation was seen in earlier Dragos research from 2019 on Siamesekitten, which found that the threat group used “malicious documents that drop malware to establish footholds for follow-on activity.”

The researchers at ClearSky also noted that “several other security companies were able to detect a partial resemblance between activities conducted by Siamesekitten and two other Iranian groups, APT33 and APT34.”

Similar Campaign

McAfee earlier reported a similar campaign, Operation Diànxùn, run by APT group RedDelta, also known as Mustang Panda or TA416. The threat actors used a fake Huawei careers website to lure telecommunications workers and infect the job seekers' devices with malware that could steal information, according to the McAfee Advanced Threat Research Strategic Intelligence team (see: Hacking Group Conducted Espionage Campaign Targeting Telcos).


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.co.uk, you agree to our use of cookies.