Researchers are warning that a fake website – purporting to help U.S. military veterans search for jobs — actually links to installers that download malware onto victims’ systems.
The website spoofs a legitimate website for U.S. military veterans offered by the U.S. Chamber of Commerce (https://www.hiringourheroes.org). However, the fake website instead prompts users to download an app, which in turn downloads malware that deploys malicious spyware and other tools onto victims’ systems.
“This particular attack vector has the potential to allow a large swath of people to become victims of this attack,” said Warren Mercer and Paul Rascagneres with Cisco’s Talos security team, in a Tuesday post. “Americans are quick to give back and support the veteran population. Therefore, this website has a high chance of gaining traction on social media, where users could share the link in the hopes of supporting veterans.”
The fake website (hxxp://hiremilitaryheroes[.]com/) is called “Hire Military Heroes” and tells visitors to try its desktop app for free, with three links (labeled Win 8, Win 8.1 and Win 10).
“The app is a fake installer,” said researchers. “Contrary to standard malware installers, this one does not need to be silent, as the user expects an installation.”
Once downloaded, an alert shows up on the user interface saying that the program is connecting to the database – but then an error message is displayed to suggest something has “stopped” the app from accessing that database.
Meanwhile, in the background, the installer is checking if Google is reachable. If not, the installation stops, but if so, the installer downloads binaries (from hxxp://199[.]187[.]208[.]75/MyWS.asmx/GetUpdate?val=UID) which are stored in base64.
The first binary is a tool used to perform a reconnaissance stage on the system, named “bird.exe,” which retrieves data including date, time and drivers; as well as system information including the patch level, the number of processors, the network configuration, the hardware, firmware versions, the domain controller, the name of the admin and more.
“This is a significant amount of information relating to a machine and makes the attacker well-prepared to carry out additional attacks,” researchers said. “The attacker even gets the size of the screen by using WMI, which is potentially a trick to identify if the system is a sandbox.”
The second binary is a remote access tool (RAT), executed as a service and named “IvizTech,” which has capabilities to stop the service/remove malware from the system, download files from the internet, use PowerShell to unzip and execute code on systems, and execute commands.
Researchers identified the threat actor behind the campaign as a previously-known group called Tortoiseshell, which has been active since at least July 2018. They made the attribution after realizing that the backdoor used in this most recent campaign has been used in past Tortoiseshell campaigns.
Researchers said that this campaign marks a “massive shift” for Tortoiseshell in its targeting; previous research by Symantec on Sept. 19 showed that the actor was behind a supply-chain attack on an IT provider in Saudi Arabia, enabling it to compromise 11 organizations in total based in Saudi Arabia.
Symantec researchers said that they currently have no evidence that would allow them to attribute Tortoiseshell’s activity to any existing known group or nation state.
While its targeting has shifted, this most recent campaign does still relying on some old tricks, Talos researchers said: “For this campaign Talos tracked, Tortoiseshell used the same backdoor that it has in the past, showing that they are relying on some of the same tactics, techniques and procedures (TTPs),” they said.
Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don’t miss our free Threatpost webinar, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. Click here to register.