A cyberespionage group associated with the Iranian government has been trying to compromise Israeli companies using supply chain tools and a large infrastructure that enabled them to impersonate HR personnel in order to lure IT experts and hack into their computers to get access to their company’s data.
Tracked as Siamesekitten, Lyceum, and Hexane, the group has been conducting cyberespionage campaigns in the Middle East and Africa since at least 2018. In multiple attacks detected by Clearsky researchers in May and July this year, Siamesekitten was seen combining social engineering techniques with an updated backdoor called “Shark”, which replaced an older variant known as “Milan”.
In their new report Clearsky researchers detailed the attack sequence of Siamesekitten’s attacks, which includes the following phases:
1. Identifying the potential victim (employee).
2. Identifying the human resources department employee who may be impersonated.
3. Establishing a phishing website that impersonates the targeted organization.
4. Creating lure files compatible with the impersonated organization.
5. Setting up a fraudulent profile on LinkedIn, impersonating the mentioned HR department employee.
6. Contacting potential victims with an "alluring" job offer, detailing a position in the impersonated organization
7. Sending the victim to a phishing website with a lure file.
8. The Milan backdoor malware infects the computer or server after one or more lure files are downloaded. As a result, a connection is established between the infected machine and the C&C server using DNS and HTTPS.
9. The DanBot RAT is downloaded to the infected system.
10. Through the infected machine, the group gathers data, conducts espionage, and attempts to spread within the network.
“This campaign is similar to the North Korean "job seekers" campaign, employing what has become a widely used attack vector in recent years - impersonation. Many attack groups are executing this type of campaign, such as the North Korean Lazarus campaign we exposed in the summer of 2020 (Dream Job) and the Iranian OilRig campaign (APT34) that targeted Middle Eastern victims in the first quarter of 2021,” the researchers said.
The hackers lure potential victims with a bogus job offer in a known company that they are impersonating. The victim is referred to a website under attackers’ control, which provides information on jobs in Israel, France, and the UK. To deliver a backdoor to the victim’s machine the attackers use two lure files - an Excel file that unloads the backdoor using a malicious Macro, and an executable that unloads the same backdoor onto the machine.
The attackers then establish connection between the compromised computer and a command and control server, after which a RAT is downloaded onto the device.
While the APT appears to have pivoted from targeting organizations in the Middle East and Africa, the researchers believe that their focus on the IT and communication companies in Israel is just a way to compromise their clients via supply chain attacks.
“According to our assessment, the group's main goal is to conduct espionage and utilize the infected network to gain access to their clients’ networks. As with other groups, it is possible that espionage and intelligence gathering are the first steps toward executing impersonation attacks targeting ransomware or wiper malware,” Clearsky notes.
