A fake web site pretending to be an organization that offers job opportunities for U.S. Veterans is distributing malware that let's the attackers gain full control over a victim's computer.
Researchers from the Cisco Talos Group have a found a web site that pretends to be the organization called HMH, or Hire Military Heroes, that offers a desktop application that Veterans can use for job opportunities.
Talos Group states that the attackers behind this web site are a threat actor group named Tortoiseshell, who Symantec recently identified as an attacker who targeted IT companies in order to gain access to their customers.
"This is just the latest actions by Tortoiseshell. Previous research showed that the actor was behind an attacker on an IT provider in Saudi Arabia. For this campaign Talos tracked, Tortoiseshell used the same backdoor that it has in the past, showing that they are relying on some of the same tactics, techniques and procedures (TTPs)."
When a user visits the site, they will be prompted to download a program for either Windows 8, 8.1, or Windows 10. For the Windows 10 download, it is a zip file containing a program named win10.exe. This file is currently only detected by 3/69 vendors on Virustotal.
If the program is launched, a small loading screen will appear that states "Hire Military Heroes is a new resource for hiring armed forces." and that it is trying to connect to the database.
While this screen is being displayed, the malware is actually downloading two other malware files and saving them to the computer.
It will then show an alert that states "Sorry. Your security solution is terminating connections to our servers.". This fake error is being displayed to make it appear that it is a legitimate program that did not work on the computer.
In reality, there are now two malware infections running; one that gathers information about the victim and their computer and another that executes commands by the attackers.
Gathers information about the victim
The first program that is downloaded will execute 111 commands that are used to gather information about the computer and its victims.
These commands will gather a list of all files on a computer, drive info, running processes, networking information, user account list, network shares, ARP table entries, firewall info and more.
All of this information is then gathered into a file named %Temp%\si.cab and emailed back to the attackers using embedded Gmail email credentials
Installs Remote Access Trojan
In addition to the information gathering malware, a remote access Trojan will also be installed on the computer. This Trojan will be installed as a Windows service with a service name of "dllhost" and a display name of "Dll host".
This service will be configured to start automatically so that the infection starts every time Windows starts.
Once started, the RAT will connect back to the attackers command & control servers where it will receive commands to execute. These commands could be to terminate the service, upload a file, unzip a file, or execute a command.
This RAT infection essentially gives the attackers full control over the computer and allows them to perform any action they wish.
At this time, it is now known how this malware is distributed. Furthermore, the researchers stated that it is possible multiple teams from the APT group worked on this malware as it contains different levels of sophistication.
"At the time of publication, we do not have a method of distribution used, nor do we have proof of this existing in the wild. The level of sophistication is low as the .NET binary used has poor OPSEC capabilities, such as hard-coded credentials, but then other more advanced techniques by making the malware modular and aware that the victim already ran it. There is a possibility that multiple teams from an APT worked on multiple elements of this malware, as we can see certain levels of sophistication existing and various levels of victimology."
For anyone who may have been infected by this malware, you should immediately perform scans of your computer and remove any threats that are found.
{jcomments on}