Iranian Cyber Espionage Group UNC1549 Targets European Telecom Companies
An Iran-nexus cyber espionage group known as UNC1549 has been attributed to a new campaign targeting European telecommunications companies, successfully infiltrating 34 devices across 11 organizations as part of a recruitment-themed activity on LinkedIn.
Swiss cybersecurity company PRODAFT is tracking the cluster under the name Subtle Snail. It’s assessed to be affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC). The targeted 11 companies are located in Canada, France, the United Arab Emirates, the United Kingdom, and the United States.
“The group operates by posing as HR representatives from legitimate entities to engage employees, then compromises them through deployment of a MINIBIKE backdoor variant that communicates with command-and-control (C2) infrastructure proxied through Azure cloud services to bypass detection,” the company said in a report shared with The Hacker News. Source: Here
UNC1549’s Modus Operandi
UNC1549 (aka TA455), believed to be active since at least June 2022, shares overlaps with two other Iranian hacking groups known as Smoke Sandstorm and Crimson Sandstorm. The threat actor was first documented by Google-owned Mandiant in February 2024.
The use of job-themed lures by UNC1549 was subsequently detailed by Israeli cybersecurity company ClearSky, which detailed the adversary’s targeting of the aerospace industry as far back as September 2023 to deliver malware families such as SnailResin and SlugResin.
“The group’s primary motivation involves infiltrating telecommunications entities while maintaining interest in aerospace and defense organizations to establish long-term persistence and exfiltrate sensitive data for strategic espionage purposes,” PRODAFT said.
Attack Techniques Employed
Attacks chains involve extensive reconnaissance on platforms like LinkedIn to identify key personnel within target organizations, specifically focusing on researchers, developers, and IT administrators with elevated access to critical systems and developer environments.
In the next phase, the threat actors have been observed sending spear-phishing emails to validate the email addresses and collect additional information before enacting the crucial part of the operation – the fake recruitment drive.
To accomplish this, the attackers set up convincing HR account profiles on LinkedIn and reached out to prospective targets with non-existent job opportunities, gradually building trust and credibility to increase the likelihood of success of the scheme. The campaign is characterized by the meticulous efforts of Subtle Snail operators to tailor the attack for each victim.
Malware Analysis
Should the victim express interest in the offer, they are subsequently contacted via email to schedule a time for an interview by clicking on a fraudulent domain that mimics companies like Telespazio or Safran Group. Entering the necessary information automatically triggers the download of a ZIP archive.
Present within the ZIP file is an executable that, once launched, uses DLL side-loading to launch a malicious DLL named MINIBIKE, which then gathers system information and awaits additional payloads in the form of Microsoft Visual C/C++ DLLs to conduct reconnaissance, log keystrokes and clipboard content, steal Microsoft Outlook credentials, collect web browser data from Google Chrome, Brave, and Microsoft Edge, and take screenshots.
The web browser stealer, in particular, incorporates a publicly available tool called Chrome-App-Bound-Encryption-Decryption to bypass app-bound encryption protections rolled out by Google in order to decrypt and steal passwords stored in the browser.
Conclusion
“The Subtle Snail team builds and deploys a victim-specific and unique DLL to the machine each time, even for collecting network configuration information from devices,” PRODAFT noted. “The malicious DLL files used by the threat actor exhibit similar characteristics in the export section.”
“Legitimate DLL files are modified to facilitate a seamless execution of a DLL side-loading attack, where function names are substituted with direct string variables. This tactic allows the attacker to bypass typical detection mechanisms by manipulating the DLL’s export table, making it appear as a legitimate file while carrying out malicious activities.”
UNC1549’s operations highlight the critical need for enhanced cybersecurity measures to protect against sophisticated cyber threats targeting sensitive industries.