Military Veterans

Researchers discovered a fake website that posed as U.S. Military Veterans hiring service provider and drops the powerful malware by prompted users to download an app that turned out to be malware downloader.

The app is also capable of deploying the other malware and dangerous spying tool to compromise the victims and steal the data from their system.

The URL( hxxp://hiremilitaryheroes[.]com) that hosting to drop the malware looks very similar to the U.S. Chamber of Commerce, https://www.hiringourheroes.org.

Researchers believe that the Tortoiseshell group was behind an attacker on an IT provider in Saudi Arabia and also the malware using backdoor that is same as their use for the previous campaign.

U.S. Military Veterans Hiring Service

The fake website names as “Hire Military Heroes” which includes the images of a movie “Flags of our Fathers.” and quoted as “we make America safer”

Also, the website claims that the desktop app is completely free by directing to users via three links but the app is totally fake and it acts as an installer.

The fake installer called the original malware installer to execute into the system and it starts showing the error message and claims that the security solution terminating the connection to the server.

During the process of infection, the installer checks whether it can able to reach Google if no then the process will be terminated. if yes then it downloads two binaries which are stored in base64 from hxxp://199[.]187[.]208[.]75/MyWS.asmx/GetUpdate?val=UID:

Researchers observed that one of the binaries act as a tool to perform the reconnaissance stage and another binary is a remote admin tool, an executed as a service.

According to Talos researchers ” If something fails during the installation, an email is sent to the attacker. The credentials are hardcoded in the installer. The email account is ericaclayton2020@gmail[.]com and the error email is sent to marinaparks108@gmail[.]com. “

The malware has some of the interesting features which including the following

  • kill_me: It stops the service and removes the malware
  • Upload: It downloads a file on the internet
  • Unzip: It uses PowerShell to unzip and execute code on the system
  • And finally, the malware can execute a command

This new campaign utilizing the malicious hiring website represents a massive shift for Tortoiseshell.

Based on the attack scenario, there are high chances to fall a large people become the victims and also the website looks easily attract to the social media.

IOC’s

Installers:

c121f97a43f4613d0a29f31ef2e307337fa0f6d4f4eee651ee4f41a3df24b6b5
2a9589538c563c006eaf4f9217a192e8a34a1b371a31c61330ce2b396b67fd10
55b0708fed0684ce8fd038d4701cc321fe7b81def7f1b523acc46b6f9774cb7b

Reconnaissance PE:

ec71068481c29571122b2f6db1f8dc3b08d919a7f710f4829a07fb4195b52fac

RAT:

51d186c16cc609ddb67bd4f3ecd09ef3566cb04894f0496f7b01f356ae260424

Additional IOCs related to this actor

41db45b0c51b98713bc526452eef26074d034b2c9ec159b44528ad4735d14f4a
78e1f53730ae265a7eb00b65fbb1304bbe4328ee5b7f7ac51799f19584b8b9d4
46873290f58c25845b21ce7e560eae1b1d89000e887c2ff2976d931672390dd8
f31b5e14314388903a32eaa68357b8a5d07cbe6731b0bd97d2ee33ac67ea8817
f1c05ff306e941322a38fffb21dfdb5f81c42a00a118217b9d4e9807743d7275
1848f51d946fa8b348db8ef945a1ebff33ff76803ad26dfd175d9ea2aa56c7d0
ed150d9f6e12b6d669bcede3b7dc2026b7161f875edf26c93296e8c6e99152d5
2682328bde4c91637e88201eda5f5c400a3b3c0bdb87438d35660494feff55cf
e82a08f1514ccf38b3ae6b79e67d7605cb20b8377206fbdc44ddadfb06ae4d0d

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.