Cybercriminals have recently been targeting U.S. Veterans. As discovered by researchers, the hackers tend to entice U.S Veterans with a fake yet malicious employment website that serves malware to the victims.
U.S Veterans Phished With Fake Employment Website
Security researchers from Cisco Talos have spotted a scam specifically targeting Veterans. As elaborated in their blog post, the attackers target U.S. Veterans for malware attacks via a fake employment website.
In this campaign, the hackers entice the Veterans via a fake website “Hire Military Heroes” – possibly impersonating the genuine service by the U.S. Chamber of Commerce “Hiring Our Heroes” (note the difference).
The malicious website offers an app to the Veterans with an aim to help them find jobs. However, the site actually tries to download malware on to the target device.
The website offers different versions of the app for Windows 8, 8.1, and Windows 10. Clicking on any of these links would then allow the app to install on the target device. Unlike most other malware attacks the malware installation does not need to stay veiled as the user naturally expects to see an installation occurring.
At the end of the supposed installation process, an error message shows up indicating a failure due to the security system of the device.
However, in the background, a successful malware installation goes on during all this time. Specifically, the installer installs two binary files; ‘bird.exe’ for the initial ‘reconnaissance phase’, and a RAT for the second stage.
During the reconnaissance phase, the attackers gather information from the target device to devise future actions. As stated by the researchers,
The attacker retrieves information such as the date, time and drivers. The attacker can then see information on the system, the patch level, the number of processors, the network configuration, the hardware, firmware versions, the domain controller, the name of the admin, the list of the account, etc.
Then, the attacker deploys ‘IvizTech’ – a RAT – on the target device.
A Continuation Of ‘Tortoiseshell’ Malware
According to the researchers, the scam primarily looks a part of Tortoiseshell attacks, a malware previously highlighted by Symantec. Talos believes this campaign as a mere continuation of Tortoiseshell activities where the attackers use the same tactics.
For this campaign Talos tracked, Tortoiseshell used the same backdoor that it has in the past, showing that they are relying on some of the same tactics, techniques, and procedures (TTPs).
However, with this campaign, the attackers seem to be primarily targeting the US population. As explained by the researchers, the attackers seem to exploit the gesture of support of most Americans for the veterans.
While the researchers haven’t spotted the presence of this campaign in the wild yet, the threat still lies there. From the general public to the Veterans, all internet users must remain careful while interacting with any website(s) for employment or recruitment purposes.
Let us know your thought in the comments.