Iranian hackers from Tortoiseshell attack retired US military

Cisco Talos experts discovered a malicious site created by Iranian hackers from the Tortoiseshell group through which they attack former US military and try to infect their devices with malware.

The resource is located at hiremilitaryheroes [.] Com and supposedly offers jobs to retired military personnel. To get access to job offers, you need to download a special desktop application. It, of course, is a fake and only installs malware on the machine, while showing the user a fake error message during installation.

“One of the binaries is a tool used to perform a reconnaissance stage on the system and the second is the Remote Administrative Tool. The RAT is executed as a service. The installer installs the service first (for the -install argument) and then stops/starts the service with the command and control (C2) server IP in argument,” — Warren Mercer and Paul Rascagneres of Talos said in a post on the new campaign.

Having penetrated the system, the malware collects information about the technical characteristics of the infected machine and transfers the collected data to the Gmail mailbox, controlled by attackers.

Therefore, the malware collects information about the operating system, the number of processors, network configuration, peripheral equipment, firmware versions, domain controller, administrator name, account list, system date and time, drivers, and so on. Obviously, this data can be useful for attackers to organize further attacks.

In addition, a remote access Trojan is installed in the system, which is able to run files downloaded from outside, execute sell commands and, if necessary, can delete itself from the host computer.

Read also: XHunt cybercriminal band attacked Gulf shipping companies

Researchers at Cisco Talos write that they don’t know what methods hackers could use to distribute links to this site, since the experts did not find anything.

The Talos team said it did not have any reports of successful compromises from this campaign and stressed that this campaign is not an advanced one.

“The level of sophistication is low as the .NET binary used has poor OPSEC capabilities, such as hard-coded credentials, but then other more advanced techniques by making the malware modular and aware that the victim already ran it”, — Mercer and Rascagneres said.

It is assumed that the resource could be discovered before the attackers began to actively advertise it among the military.

Experts associate this campaign with the recently spotted hacker group Tortoiseshell, allegedly led by the Iranian government. There is no much information available about this group so far, apart from the Symantec report released last week.