VFC Visitors Counter

This WeekThis Week25285
This MonthThis Month31530
All DaysAll Days6541315
Highest 08-07-2020 : 4574
Logged In Users 0
Guests 249
Registered Users 717
Registered Today 1

Fake Employment Site Created to Target Veterans With Malware

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

Target Veterans


A fake web site pretending to be an organization that offers job opportunities for U.S. Veterans is distributing malware that let's the attackers gain full control over a victim's computer.

Researchers from the Cisco Talos Group have a found a web site that pretends to be the organization called HMH, or Hire Military Heroes, that offers a desktop application that Veterans can use for job opportunities.

Talos Group states that the attackers behind this web site are a threat actor group named Tortoiseshell, who Symantec recently identified as an attacker who targeted IT companies in order to gain access to their customers.

"This is just the latest actions by Tortoiseshell. Previous research showed that the actor was behind an attacker on an IT provider in Saudi Arabia. For this campaign Talos tracked, Tortoiseshell used the same backdoor that it has in the past, showing that they are relying on some of the same tactics, techniques and procedures (TTPs)."

When a user visits the site, they will be prompted to download a program for either Windows 8, 8.1, or Windows 10. For the Windows 10 download, it is a zip file containing a program named win10.exe. This file is currently only detected by 3/69 vendors on Virustotal.

If the program is launched, a small loading screen will appear that states "Hire Military Heroes is a new resource for hiring armed forces." and that it is trying to connect to the database.

While this screen is being displayed, the malware is actually downloading two other malware files and saving them to the computer.

It will then show an alert that states "Sorry. Your security solution is terminating connections to our servers.". This fake error is being displayed to make it appear that it is a legitimate program that did not work on the computer.

In reality, there are now two malware infections running; one that gathers information about the victim and their computer and another that executes commands by the attackers.

Gathers information about the victim

The first program that is downloaded will execute 111 commands that are used to gather information about the computer and its victims.

These commands will gather a list of all files on a computer, drive info, running processes, networking information, user account list, network shares, ARP table entries, firewall info and more.

All of this information is then gathered into a file named %Temp%\ and emailed back to the attackers using embedded Gmail email credentials

Installs Remote Access Trojan

In addition to the information gathering malware, a remote access Trojan will also be installed on the computer. This Trojan will be installed as a Windows service with a service name of "dllhost" and a display name of "Dll host".

This service will be configured to start automatically so that the infection starts every time Windows starts.

Once started, the RAT will connect back to the attackers command & control servers where it will receive commands to execute. These commands could be to terminate the service, upload a file, unzip a file, or execute a command.

This RAT infection essentially gives the attackers full control over the computer and allows them to perform any action they wish.

At this time, it is now known how this malware is distributed. Furthermore, the researchers stated that it is possible multiple teams from the APT group worked on this malware as it contains different levels of sophistication.

"At the time of publication, we do not have a method of distribution used, nor do we have proof of this existing in the wild. The level of sophistication is low as the .NET binary used has poor OPSEC capabilities, such as hard-coded credentials, but then other more advanced techniques by making the malware modular and aware that the victim already ran it. There is a possibility that multiple teams from an APT worked on multiple elements of this malware, as we can see certain levels of sophistication existing and various levels of victimology."

For anyone who may have been infected by this malware, you should immediately perform scans of your computer and remove any threats that are found.


Add comment

Rules of Conduct
1 Keep it Clean. Please avoid obscene, vulgar, lewd, racist or sexually-oriented language.
2 Don't Threaten or Abuse. Threats of harming another person will not be tolerated. AND PLEASE TURN OFF CAPS LOCK.
3 Be Truthful. Don't knowingly lie about anyone or anything.
4 Be Nice. No racism, sexism or any sort of -ism that is degrading to another person.
5 Be Proactive. Use the 'Report' link on each comment to let us know of abusive posts.
6 Share with Us. We'd love to hear eyewitness accounts, the history behind an article, Forum Post, or actual Experience.
7 Please do not add any web links to your comments unless specifically directing to a VA Web site page.

Security code

Copyright © 2016. All Rights Reserved.