Iranian Hackers Use GitHub and Phishing to Evade Detection in SnailResin Attack

Threat Group: Smoke Sandstorm (also tracked as TA455)
Threat Type: Trojan Loader
Exploited Vulnerabilities: Phishing and social engineering tactics
Malware Used: SnailResin (loader), SlugResin (backdoor)
Threat Score: High (8.5/10) — Due to advanced delivery techniques, cross-industry targeting, and evasive C2 methods
Last Threat Observation: November 14, 2024.

Overview

The SnailResin malware is a sophisticated trojan loader deployed by the Iranian-linked threat actor group Smoke Sandstorm, also referred to as TA455. This campaign, active since at least September 2023, mimics tactics commonly associated with North Korea's Lazarus Group in a "Dream Job" campaign format. Smoke Sandstorm leverages job offer lures to target individuals in critical sectors, including aerospace, aviation, and defense, particularly in regions like Israel, the UAE, Turkey, India, and Albania. The SnailResin malware is designed to load the SlugResin backdoor, facilitating unauthorized access, data theft, and persistent control over compromised systems.

Smoke Sandstorm, affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), shares operational characteristics with other clusters known as Smoke Sandstorm (formerly Bohrium) and Crimson Sandstorm (formerly Curium). Using advanced social engineering methods, including AI-generated persona profiles and LinkedIn-based outreach, the group lures victims with fake recruiting websites and seemingly legitimate job offers. The campaign also includes layered infection chains, including DLL side-loading to bypass security defenses.

Key Details

• Delivery Method: Spear-phishing emails with ZIP files containing a mix of legitimate and malicious files.
• Target Industries: Aerospace, aviation, and defense sectors in the Middle East, Israel, Eastern Europe, and other critical regions.
• Campaign Techniques:
  • Uses fake job offers to deliver SnailResin, which activates the SlugResin backdoor.
  • Creates fake recruiting websites (e.g., careers2find[.]com) and LinkedIn personas to initiate contact.
  • Distributes malicious executables like "SignedConnection.exe" and employs DLL side-loading with "secur32.dll."
• Functions:
  • Deploys SlugResin backdoor for remote access.
  • Establishes command-and-control (C2) communication through GitHub to mask traffic.
  • Conducts credential theft, privilege escalation, and lateral movement within networks.
  • Obfuscates operations through multi-stage infection and fake personas.
• Obfuscation Techniques: Uses GitHub repositories as dead drop resolvers to encode C2 commands, blending malicious activities with normal network traffic.

Attack Vectors

The primary attack vector for SnailResin campaigns is social engineering through job-related phishing lures. Smoke Sandstorm sends tailored spear-phishing emails with ZIP files containing both legitimate and malicious executables, disguised as job application materials. When recipients open the executable, it side-loads the malicious DLL "secur32.dll," activating the SnailResin loader. This loader then installs the SlugResin backdoor, providing the attackers with persistent remote access.

The use of GitHub repositories as C2 decoy channels allows attackers to encode C2 servers within repositories, which can be retrieved by the malware without raising suspicions, as GitHub traffic is typically considered benign. The multi-stage infection process, which includes legitimate-seeming documents and AI-generated job recruiter profiles, further enhances the chances of evading security measures.

Known Indicators of Compromise (IoCs)

Defanged IPv4 Addresses:

• 89[.]221[.]225[.]235
• 77[.]91[.]74[.]171
• 77[.]91[.]74[.]186
• 89[.]221[.]225[.]230 - 89[.]221[.]225[.]249

Defanged File Hashes (MD5):

• bb4c8f42cc624c628e4b98bd43f29fa6

Defanged File Hashes (SHA1):

• 1acd34fb6de5c645e03ded9875046979be7893c4
• 21b0327e7ccb36d9ba00359e078acaa9a2320c83
• 2a29ba7302024ec1255811abec2a532136d12fef
• 2e7fc6d63ce16075a3fe3584e03be24a9bc220e1
• 3a0b3426f4a2f85e0c82b2804aab7f5d5bb63fb7
• aa5fcea406edd406bd6e0a23e83beebe2b3582d1
• c52beb64f7450fce923d15efaa1e5be4c0e43d2b

Defanged File Hashes (SHA256):

• bf308e5c91bcd04473126de716e3e668cac6cb1ac9c301132d61845a6d4cb362

Defanged Domains:

• careers2find[.]com
• xboxapicenter[.]com

Defanged Hostnames:

• raw[.]ghubusercontent[.]com

Mitigation and Prevention

1. User Awareness: Train employees on phishing risks and recognizing social engineering tactics, especially unsolicited job offers.
2. Email Filtering: Implement filtering to detect and block suspicious attachments and ZIP files with potentially harmful contents.
3. Antivirus Protection: Ensure antivirus solutions are updated to detect SnailResin and SlugResin variants.
4. Two-Factor Authentication (2FA): Enforce 2FA to add a security layer for sensitive accounts.
5. Monitor Network Traffic: Regularly review network traffic for unusual GitHub activity, as it could indicate C2 communications.
6. Patch Management: Keep all software and operating systems updated to reduce vulnerabilities that can be exploited.

Conclusion

The SnailResin malware, used by Smoke Sandstorm, exemplifies a sophisticated and targeted approach to cyber espionage, heavily relying on social engineering tactics and advanced delivery mechanisms. By employing North Korean-styled “Dream Job” campaigns, this Iranian-aligned group has been able to engage with highly targeted individuals in critical sectors. Organizations in aerospace, defense, and related fields should bolster security awareness and strengthen email filtering, antivirus measures, and monitoring systems to mitigate these threats effectively.

Sources:

• The Hacker News, "Iranian Hackers Use 'Dream Job' Lures to Deploy SnailResin Malware in Aerospace Attacks,"
• PCMag Australia, "Dream Job Offers Turn Out To Be Iranian Hacking Campaign,"
• ClearSky, "Iranian “Dream Job” Campaign 11.24"