Tortoiseshell targets US veterans with fake website used to download malware

Tortoiseshell targets US veterans

A cyber attack group dubbed “Tortoiseshell” has deployed a fake website posing as a site to help U.S. military veterans find jobs. The website is then used to download malware to visitors’ systems.

According to a recent Talos report, the bad actors deployed the site called “Hire Military Heroes” hxxp://hiremilitaryheroes[.]com. The fake site uses an image from the movie “Flags of our Fathers.”

To add, the URL is disturbingly similar to a real website

In short, the bad actors use the fake website to entice visitors to download an application used as a malware downloader. Once visitors install the app, the downloader will deploy malicious spying tools and other malware.

Some of the installed malware consist of tools used to perform reconnaissance (such as “bird.exe”) on the system and also a Remote Access Tool (RAT).

Remote Access Tool

The hackers use a RAT named “IvizTech” on the victim’s system. The RAT is also similar to malicious code and features discovered by Symantec last week. Symantec warned that the Tortoiseshell Group targeted IT suppliers in Saudi Arabia.

According to Talos, IvizTech includes a modular design that can make it harder to track down command and control (C2) operations and analyze the malware:

“The IP is put in argument to the service. The attackers hoped that this would make it impossible to get to the C2, as the installer is needed — you can’t just get there with the RAT itself. This allows an attacker to have a malware that they can add modules onto (no need to recompile when you want to update the C2). Requiring the installer also could make it more complicated for researchers to access the C2 and get hands-on analysis of the malware.”

In conclusion, this new attack vector could be significant threat to take advantage of people’s good will to give back and support our brave veterans. Users should always be cautious when prompted to install software from an unknown website as well.