Suspected Iranian government-backed online attackers have expanded their European cyber ops with fake job portals and new malware targeting organizations in the defense, manufacturing, telecommunications, and aviation sectors.
In a Monday report, Check Point Research says it’s been tracking “waves” of this activity since early this year, and attributed the scam to a group it tracks as Nimbus Manticore – also known as UNC1549 (by Google), Smoke Sandstorm (Microsoft), and Imperial Kitten. Google’s Mandiant threat hunters have also noted the crew’s overlap with another gang that Facebook previously linked to Iran’s Islamic Revolutionary Guard Corps (IRGC).
This new phishing expedition appears to be a continuation of the Iranian Dream Job campaign, named because it mimics the North Korean Lazarus Group’s Operation Dream Job. It’s possible the two nations shared tradecraft and tools.
The security shop’s research team says the new campaign indicates a “heightened focus” on Western Europe, and specifically Denmark, Portugal, and Sweden. The attackers claim to represent companies in the aerospace, defense manufacturing, and telecommunications industries that are looking to hire staff. But instead of landing a job, victims receive a custom backdoor called MiniJunk and a stealer called MiniBrowse, both Minibike variants that are delivered in a unique way.
The attack begins with a phishing link that directs the victim to a fake job-related login page spoofing companies including Boeing, Airbus, Rheinmetall, and Flydubai. Each victim receives a unique set of credentials with the link to the login page, and after they enter the correct info, the site delivers a malicious archive containing the malware.
The archive masquerades as legitimate software related to the hiring process, and the execution chain uses a multi-stage sideloading technique to deliver the final payload.
First, the victim runs a legitimate Windows executable from the archive, and this file sideloads userenv.dll from the same archive. The legitimate executable then starts another benign file that sideloads the malware loader, xmllite.dll. As Check Point explains:
The attack chain essentially abuses a feature that defines the search path, causing the legitimate process to sideload a malicious DLL from a different location and override the normal DLL search order.
It then launches the MiniJunk malware and shows the victim a fake error pop-up about network issues blocking the lure program from running.
Nimbus Manticore’s newer malware consists of MiniJunk, which allows stealthy, persistent access to victims’ systems, and MiniBrowse, an infostealer. Both are heavily obfuscated to avoid detection while they steal information.
“The most recent Minibike variants suggest a significant increase in the actor’s abilities, including using a novel (and previously undocumented) technique to load DLLs from alternate paths by modifying process execution parameters,” Check Point Research states. “This variant has new TTPs such as size inflation, junk code, obfuscation, and code signing to lower detection rates.” ®