Iranian Group Targets Israeli FirmsClearSky: Attackers Lure Victims With Fake Job Offers
Researchers at cybersecurity firm ClearSky say an Iranian APT group, dubbed "Siamesekitten," is targeting Israeli companies in a supply chain attack campaign. The attackers are luring victims with fake job offer emails that direct recipients to websites that download malware.
Siamesekitten, also known as Lyceum and Hexane, has been active since 2018. It has carried out at least two waves of attacks - in May and July - as part of the current campaign, ClearSky reports.
During its early days, the threat group focused its attacks on African countries, but it later shifted to targeting critical control systems of oil and gas companies in the Middle East and Asia. The latest attacks, however, appear to be aimed exclusively at IT and communications companies in Israel as part of an effort to facilitate broader supply chain attacks, the researchers say.
"The group's main goal is to conduct espionage and utilize the infected networks [of IT and communications firms] to gain access to their clients’ networks," ClearSky says. "As with other groups, it is possible that espionage and intelligence gathering are the first steps toward executing impersonation attacks targeting ransomware or wiper malware.”
Lured by Job Offers
In the recent phishing campaigns, the Siamesekitten group impersonated companies, such as ChipPc and Software AG, to make fake job offers, luring victims to open malicious documents that enable the attackers to download the DanBot RAT to the victim’s computer.
Researchers say the threat group “thoroughly researches the subject of impersonation,” and leverages social networks, such as LinkedIn, in these attacks.
The researchers described how a fake profile of a person claiming to be the human resources manager at ChipPc was used. The person, however, was a former employee who had worked for ChipPc in 2007, the researchers learned.
The threat group, researchers say, claims to offer jobs in HR, project management and sales in countries including Israel, France and the U.K.
The researchers note how victims receive an attractive fake job offer via email, which directs them to a legitimate-looking impersonated website of a known company. Fake company files on the site, which purport to provide further job details, contain malware embedded in a password-protected Macros XLS document. If clicked on, the files download a backdoor using a malicious macro, establishing a connection between the infected machine and the attacker’s command-and-control server, which will eventually lead to the download of a RAT onto the victim's computer.
This form of intrusion initiation was seen in earlier Dragos research from 2019 on Siamesekitten, which found that the threat group used “malicious documents that drop malware to establish footholds for follow-on activity.”
The researchers at ClearSky also noted that “several other security companies were able to detect a partial resemblance between activities conducted by Siamesekitten and two other Iranian groups, APT33 and APT34.”
McAfee earlier reported a similar campaign, Operation Diànxùn, run by APT group RedDelta, also known as Mustang Panda or TA416. The threat actors used a fake Huawei careers website to lure telecommunications workers and infect the job seekers' devices with malware that could steal information, according to the McAfee Advanced Threat Research Strategic Intelligence team (see: Hacking Group Conducted Espionage Campaign Targeting Telcos).