Researchers discovered a fake website that posed as U.S. Military Veterans hiring service provider and drops the powerful malware by prompted users to download an app that turned out to be malware downloader.
The app is also capable of deploying the other malware and dangerous spying tool to compromise the victims and steal the data from their system.
The URL( hxxp://hiremilitaryheroes[.]com) that hosting to drop the malware looks very similar to the U.S. Chamber of Commerce, https://www.hiringourheroes.org.
Researchers believe that the Tortoiseshell group was behind an attacker on an IT provider in Saudi Arabia and also the malware using backdoor that is same as their use for the previous campaign.
U.S. Military Veterans Hiring Service
The fake website names as “Hire Military Heroes” which includes the images of a movie “Flags of our Fathers.” and quoted as “we make America safer”
Also, the website claims that the desktop app is completely free by directing to users via three links but the app is totally fake and it acts as an installer.
The fake installer called the original malware installer to execute into the system and it starts showing the error message and claims that the security solution terminating the connection to the server.
During the process of infection, the installer checks whether it can able to reach Google if no then the process will be terminated. if yes then it downloads two binaries which are stored in base64 from hxxp://199[.]187[.]208[.]75/MyWS.asmx/GetUpdate?val=UID:
Researchers observed that one of the binaries act as a tool to perform the reconnaissance stage and another binary is a remote admin tool, an executed as a service.
According to Talos researchers ” If something fails during the installation, an email is sent to the attacker. The credentials are hardcoded in the installer. The email account is [email protected][.]com and the error email is sent to [email protected][.]com. “
The malware has some of the interesting features which including the following
- kill_me: It stops the service and removes the malware
- Upload: It downloads a file on the internet
- Unzip: It uses PowerShell to unzip and execute code on the system
- And finally, the malware can execute a command
This new campaign utilizing the malicious hiring website represents a massive shift for Tortoiseshell.
Based on the attack scenario, there are high chances to fall a large people become the victims and also the website looks easily attract to the social media.
Additional IOCs related to this actor