Home Tech Tortoiseshell hacking group targets U.S. vets with fake hiring website

Tortoiseshell hacking group targets U.S. vets with fake hiring website

Earlier this year researchers at Symantec identified a threat actor that was targeting various IT providers in Saudi Arabia. The attacks were carried out with custom malware by a group called Tortoiseshell that was thought to be active since roughly July 2018. Tortoiseshell at the time was engaging in supply-chain attacks with the goal of gaining access to customer data held by the 11 IT providers that were successfully compromised. Not satisfied with this, however, it seems that Tortoiseshell is branching out into other target areas.

According to a recent blog post from Cisco Talos Intelligence, it appears that Tortoiseshell has shifted focus from civilians in the Middle East to ex-military members in the United States. The threat actors are specifically attempting to trick veterans looking for employment into using their hoax website hxxp://hiremilitaryheroes.com and infect them with malware. The website in question tries to look similar U.S. Chamber of Commerce’s employment resource for veterans and hopes that visitors will not notice the difference in URLs.

The Tortoiseshell website infects visitors by tricking them into downloading an executable for a fake desktop application. Once the fake downloader is executed, it begins to proceed with a smoke-and-mirrors show that leads the user to believe the program is being installed. The “application” then freezes on a nearly full installation progress bar and it is here that the malware begins to take effect.

Cisco Talos researchers state the following about the malware’s processes:

The installer checks if Google is reachable. If not, the installation stops. If it is reachable, the installer downloads two binaries from hxxp://199[.]187[.]208[.]75/MyWS.asmx/GetUpdate?val=UID… The downloaded binaries are stored in base64. One of the binaries is a tool used to perform a reconnaissance stage on the system and the second is the Remote Administrative Tool. The RAT is executed as a service. The installer installs the service first (for the -install argument) and then stops/starts the service with the command and control (C2) server IP in argument… If something fails during the installation, an email is sent to the attacker. The credentials are hardcoded in the installer. The email account is [email protected][.]com and the error email is sent to [email protected][.]com… The downloaded reconnaissance tool is named “bird.exe” on the system and the internal name is Liderc… The purpose is to collect a lot of information on the victim machine.

With the shift from civilians to individuals with ties to the U.S. military, one has to wonder just what exactly is motivating Tortoiseshell. It is too early to tell if there is a nation-state or cyberterrorism angle, but this cannot be ruled out either. Tortoiseshell isn’t looking for a payday like most cybercriminals, but rather they are looking to gather as much information as possible. This is one threat actor to keep an eye on.

Latest articles

South African Airways, unions meet for talks amid damaging strike

JOHANNESBURG (PR News Corp) - South African Airways (SAA) and unions on Saturday met for talks the troubled state-run carrier hopes can bring an...

The Sony a7R IV is the best camera for landscape photographers

<!-- {OSPHeroImage} {/OSPHeroImage} {OSPIntroText} Landscape shooters have a unique set of requirements for their gear. On the image quality side of things, a good landscape camera should offer...

Microsoft Intune gets a new streamlined user experience

Microsoft recently began rolling out a refreshed and streamlined administration experience for Microsoft Intune. These features, which are now generally available, were determined based...

Southeast Asia: Final Fantasy VII and VIII Remastered Twin Pack coming 29th November

Square Enix has announced exactly when collectors and gamers who reside in Southeast Asia can pick up the exclusive Final Fantasy VII and VIII...

POPULAR