Iranian threat actors have impersonated the IT and communication firms in Israel and their HR employees to target victims with fake job offers in order to penetrate their computers and gain access to the company’s clients.
According to researchers from Israeli cyber security company ClearSky, the supply chain attack campaigns which occurred in two waves in May and July 2021, have been linked to a hacker group named Siamesekitten (aka Lyceum or Hexane). They have primarily targeted oil, gas, and telecom providers in the Middle East and in Africa at least since 2018.
The hackers identified potential victims, who were then tempted with attractive job offers in well-known companies like ChipPc and Software AG by posing as human resources employees from the impersonated firms. The victims are then led to a phishing website containing weaponized files that unload a backdoor known as Milan to establish connections with a remote server and download a second-stage remote access trojan named DanBot.
ClearSky reported that the attacks were focused on IT and communication companies which indicates that they are intended to facilitate supply chain attacks on their clients.
Besides using lure documents as an initial attack vector, the group’s infrastructure included setting up fraudulent websites to mimic the company being impersonated as well as creating fake profiles on LinkedIn. The lure files are in the form of a macro-embedded Excel spreadsheet that details the supposed job offers and a portable executable (PE) file that includes a ‘catalog’ of products used by the impersonated organization.
The attack chain culminates in the installation of the C++-based Milan backdoor. The July 2021 attacks against Israeli companies are also notable as the threat actor replaced Milan with a new implant called Shark that’s written in .NET.
ClearSky stated that this campaign is similar to the North Korean ‘job seekers’ campaign which is done through impersonation. The main goal of the gang is to conduct espionage and utilize the infected network to gain access to their clients’ networks.