Security researchers uncovered a new cyberespionage campaign by Iranian hackers targeting IT and telecom companies in Israel with supply-chain attacks. Tracked as Siamesekitten (also known as Lyceum or Hexane), the Iranian APT group imitated HR personnel to lure unwitting users with fake job offers.
According to research from cybersecurity firm ClearSky, threat actors are specifically targeting IT professionals to pilfer their credentials and then leverage that to break into the company’s network systems. It is found that attackers are diverting the victims to a fake website hosted on the impersonating server. The website presents two phishing files – an Excel file that deploys the malicious macro and an executable file that delivers the backdoor onto the targeted device. The downloaded malware will then connect the compromised machine and the hacker-operated C&C server, eventually deploying the RAT.
Old Group New Malware
Since 2018, the Siamesekitten group has mainly targeted organizations in oil, gas, and telecom industries across Africa and Middle Eastern countries. ClearSky stated that it detected two Siamesekitten attacks in May and July 2021 with a new malware variant – Shark.
Siamesekitten Attack Sequence
ClearSky researchers also detailed how the Siamesekitten group initiates its attack vector. This includes:
- Directing the victim to the phishing website that impersonates the targeted organization.
- Creating lure files compatible with the impersonated organization.
- Setting up a fraudulent profile on LinkedIn, impersonating the mentioned HR department employee.
- Contacting potential victims with an alluring job offer, detailing a position in the impersonated organization
- The DanBot RAT is downloaded to the infected system.
- The group gathers data through the infected machine, conducts espionage, and attempts to spread within the network.
“This campaign is similar to the North Korean ‘job seekers’ campaign, employing what has become a widely used attack vector in recent years – impersonation. The group’s main goal is to conduct espionage and utilize the infected network to access their clients’ networks. As with other groups, it is possible that espionage and intelligence gathering are the first steps toward executing impersonation attacks targeting ransomware or wiper malware,” ClearSky said.