Iranian hackers have impersonated Israeli IT and communication enterprises and their HR employees to target victims with fraudulent employment offers in order to gain access to their computers and the company’s clients.
The supply chain attack campaigns, which happened in two waves in May and July 2021, have been traced to a hacker gang known as Siamesekitten (aka Lyceum or Hexane), as per the reports by Israeli cyber security firm ClearSky.
Since at least 2018, they have largely targeted oil, gas, and telecom providers in the Middle East and Africa.
Posing as human resources staff from the impersonated firms, the Iranian hackers discovered potential victims and enticed them with lucrative job offers from well-known companies such as ChipPc and Software AG.
The victims are then directed to a phishing website that contains malicious files that download a second-stage remote access trojan known as DanBot and unload a backdoor known as Milan to establish connections with a remote server.
According to ClearSky, the attacks targeted IT and communication firms, suggesting that they are being leveraged to facilitate supply chain attacks on their clients.
Clearsky’s report states,
We believe that during the past several months Siamesekitten APT has been trying to penetrate into many Israeli organizations, using supply chain tools.
Apart from employing luring documents as an initial attack vector, the group’s infrastructure includes generating fake LinkedIn profiles and setting up fraudulent websites to imitate the organisation being impersonated.
The lure files are a macro-embedded Excel spreadsheet that outlines the fake employment offers and a portable executable (PE) file that contains a ‘catalogue’ of products utilised by the impersonated company.
The Milan backdoor, which is written in C++, is installed at the end of the attack chain.
The threat actor replaced Milan with a new implant named Shark, which is coded in.NET, in the July 2021 strikes against Israeli companies.
According to ClearSky, this operation is identical to North Korea’s impersonation-based “job seekers” campaign.
The gang’s main purpose is to conduct espionage and get access to their clients’ networks using the infected network.
You might also like: