Cisco: Hacking Group Targets US VeteransAttackers Used Phony Job Website to Install Malware, Researchers Say
A threat group has been targeting U.S. veterans through a spoofed website promising help for those looking for jobs, according to research from Cisco Talos.
Instead of providing job links, however, the phony website installs malware and spyware on a victim's device, the research report states.
The Cisco report does not say what the ultimate motives of this particular campaign are. But the researchers note that the malware and spy tools collect a substantial amount of data from an infected device, including the patch level of the software installed, the number of processors, the network configuration, the hardware, firmware versions, the domain controller, the name of the administrator and lists of the accounts on the device, according to the report.
A Department of Homeland Security analyst told ZDNet that it appears that the attackers are trying to target active U.S. military personnel who are about to leave the service. The goal would be to have a victim install the malware on a Defense Department computer.
The Cisco report ties the attacks to a relatively new threat group called Tortoiseshell, which Symantec researchers say has mainly operated in the Middle East (see: Supply Chain Attacks: Hackers Hit IT Providers).
"Previous research showed that the actor was behind an attack on an IT provider in Saudi Arabia. For this campaign that [Cisco] Talos tracked, Tortoiseshell used the same backdoor that it has in the past, showing that they are relying on some of the same tactics, techniques and procedures,” according to the research report.
Spoofed Job Site
In the campaign targeting veterans, the attackers are using a phony website that appears to be a legitimate jobs site administered by the U.S. Chamber of Commerce, the researchers say.
The threat actors created a phony site called Hire Military Heroes that is supposed to connect military veterans to companies looking to hire workers. This website is designed to spoof a U.S. Chamber of Commerce that uses the URL "https://www.hiringourheroes.org," which connects veterans and their spouses to job opportunities, the report notes.
The Cisco researchers believe that the phony site was designed to be shared across social media channels.
"This particular attack vector has the potential to allow a large swath of people to become victims of this attack. Americans are quick to give back and support the veteran population," the researchers add. "Therefore, this website has a high chance of gaining traction on social media where users could share the link in the hopes of supporting veterans."
As part of the attack, the spoofed website encourages victims to download and then install a desktop application that reportedly would allow them to look at job listings, the report notes.
When the victim attempts to install the app, a message appears on the screen saying that the application failed to install. In the background, however, the malware starts to download and infects the device, according to the report.
In the first part of the attack, a malicious binary is installed, which then conducts reconnaissance on the victim's devices, Cisco found. The second part of the attack involves the installation of a remote access Trojan, or RAT, that helps communicate with a command-and-control server and can allow the attackers to take over a device, according to the report.
Once the Trojan begins to collect data, it's packaged up sent as an email to a Gmail account controlled by the attackers, Cisco reports.
Ties to Tortoiseshell
By examining the Trojan, which is called "IvizTech," the Cisco researchers found code and tools similar to those used by the Tortoiseshell group that Symantec described in a report released earlier this month.
Tortoiseshell appears to have been active since July 2018, but security researchers have only become aware of its presence over the last two months. According to Symantec, the group has been targeting IT solution providers in the Middle East.
Earlier this month, Symantec found that the hacking group used custom and off-the-shelf malware to target the supply chains of IT providers in Saudi Arabia. The attack crippled the supply chain of 11 organizations in the country, with the attackers gaining domain-level access of at least two organizations, Symantec said.