A sophisticated Iranian cyber espionage group, Subtle Snail, has been identified as a major threat to European telecommunications, aerospace, and defense companies. The group uses a complex recruitment-themed social engineering campaign to compromise victims.
Also known as UNC1549, the group has successfully infiltrated 34 devices across 11 organizations since June 2022. They pose as HR representatives from legitimate companies to engage with unsuspecting employees on platforms like LinkedIn.
The attackers use extensive reconnaissance to find high-value targets, particularly researchers, developers, and IT administrators with access to critical systems. They create convincing fake job advertisements and set up fake domains like telespazio-careers.com to enhance the credibility of their schemes.
Once they lure a victim, they deploy a custom backdoor called MINIBIKE, which uses Azure cloud services for communication to avoid detection. At first, this malware was hard for antivirus software to detect because it was highly disguised and used stolen code signing certificates to appear as trusted software. The group even develops a unique version of the malware for each victim.
The primary method for infecting victims is DLL sideloading. Attackers send a ZIP file with a seemingly legitimate executable, such as Application.zip. When the victim runs the file, the attackers use a malicious MINIBIKE DLL file placed in the same folder. This malicious DLL is disguised with common system library names like iumbase.dll to make it look like a legitimate Windows component.
The malware is specifically crafted for each victim and uses sophisticated techniques to bypass security controls and stay hidden. It collects system information and sends it to a server, at which point the attackers can deploy other victim-specific DLLs for keylogging, stealing credentials, and more. All of these actions use the same stealthy DLL sideloading technique.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
