Iran's government-backed hackers are trying to infect US military veterans with malware with the help of a malicious website, researchers from security firm Cisco Talos reported on Tuesday.
The website, located at hiremilitaryheroes[.]com (pictured above), offers a fake desktop app for download, in the hopes that US military veterans would download and install it, presumably to gain access to job offerings.
But Cisco Talos researchers say the app only installs malware on users' systems and shows an error message, indicating that the installation failed.
Malware is an infostealer+RAT combo
Behind the scenes, the malware continues to operate on victims' computers, gathering information about the system's technical specs, and sending the data to an attacker-controlled Gmail inbox.
The type of data the malware collects includes information on the system, the patch level, the number of processors, the network configuration, the hardware, firmware versions, the domain controller, the name of the admin, the account list, date, time, drivers, etc..
"This is a significant amount of information relating to a machine and makes the attacker well-prepared to carry out additional attacks," said Warren Mercer, Paul Rascagneres, and Jungsoo An, the three Cisco Talos researchers who analyzed the malware.
But besides a data gathering component, the malware also installs a remote access trojan (RAT), a type of malware that can grant attackers access over an infected system.
According to the Cisco Talos report, the RAT component can run files downloaded from the internet, execute shell commands, and remove itself from a host's computer, if needed.
Hackers most likely targeting active servicemen, not veterans
In light of these, the hackers' overall modus operandi appears to be to use the fake military veteran hiring website to infect victims and then select which target they want to go after and download additional payloads.
In an interview on deep background with ZDNet -- because he was not authorized to speak on the record for the agency -- a DHS cybersecurity analyst said that attackers are clearly going after military networks.
"The hackers are not targeting veterans, but rather soon-to-be veterans," he said. "They're targeting active servicemen looking for jobs for when their service ends.
"They [the hackers] are hoping that one of their targets would use a DOD system to download and run the malware," he added. "Chances are low, but it's worth a shot.
"Pretty clever approach, if I can say so."
Operation linked to Tortoiseshell group
Cisco Talos said it didn't have any details about the methods hackers were using to spread links to this website, and trick victims into installing the malware. It may also be that researchers caught this site before it was actively spammed to veterans.
The Talos team also linked this campaign to the work of a recently discovered state-sponsored hacking group named Tortoiseshell, believed to be operating under the protection of the Iranian government.
Little is known about this group, whose operations only recently came to the forefront, following the publication of a Symantec report last week.
According to Symantec, the group has been previously seen engaged in supply-chain attacks on 11 IT providers based in Saudi Arabia. It is believed that the purpose of these attacks was to use these 11 companies' infrastructures to drop malware on the networks of their respective customers.
More details about this group's operations will likely surface in the next months. Fellow cyber-security vendor CrowdStrike tracks this group under a different name of Imperial Kitten, per this spreadsheet that aggregates data on all nation-state hacking operations. On the other hand, cyber-security firm FireEye believes this group isn't actually new, but rather a subdivision of the older APT35.
In February 2019, US officials formally charged a former US Air Force intelligence agent with treason after she fled to Iran in 2013 and later worked to help Iran's government hacking crews to target and hack former Air Force colleagues.