Researchers at Cisco Talos have discovered a fake veteran hiring website, hosted by an Iranian hacking group, luring users into downloading malware by spoofing a legitimate veteran job search site. The sham website, hiremilitaryheroes.com has been designed to resemble the valid US Chamber of Congress sponsored hireheroesusa.org and is targeting veteran job seekers with malicious code including Remote Administration Trojans and spying tools.
Researchers have attributed the website to a nation state hacking group known as “Tortoiseshell”, which has since been determined to be aligned with the Iranian hacking team “Imperial Kitten”. Adam Meyers, VP of intelligence at CrowdStrike noted in their research that “Imperial Kitten” is a nation-state hacking group supporting Iran’s Islamic Revolutionary Guard. The modus operandi for the group has been to first target major IT provider networks in Saudi Arabia and then to leapfrog from those provider networks to customer target networks. The Iranian group has been hosting a website with an image from the film “Flags of our Fathers” seen here. The malicious site prompts users to download their “desktop app” for free. The app is a fake installer that downloads malware to the device. The downloads are binary base 64 encoded and perform reconnaissance and provide remote administrative access to the victim’s machine.
The recon tool collects a vast amount of information from the system including, date and time, installed drivers, patch levels, network configuration, number of processors, hardware and firmware versions, a listing of accounts, and much more. This information is then sent to two hardcoded email addresses in the malware, “email@example.com” and “firstname.lastname@example.org”. The threat actors also deploy a Remote Access Tool (RAT) which reaches back to the Command and Control (C2) server for further directions from the hacking group. The RAT has functionality allowing it to download additional modules from the internet, zip and unzip files, and to execute commands on the system.
The malicious website has the potential to impact a large swath of victims due to the nature of this particular attack vector. Americans are supportive of veterans, and one could imagine how many could be infected if this fake site is shared online among social media sites.