Recently, U.S. veterans have been disturbed by a fake website that is disguising itself as an organization that offers jobs to them. Fortunately, many of them found out the truth about it and realized it had only been created for the sole purpose of distributing malware that gives attackers complete control over a victim’s computer.
According to the researchers from the Cisco Talos Group, the organization calls itself Hire Military Heroes, or HMH. When veterans visit the site, it will convince them to download a desktop application that is advertised to help seek job opportunities.
The Cisco Talos Group emphasized that the creators and attackers behind this website are Tortoiseshell. It’s a newly identified attacker that targeted many IT companies to retrieve their customer database.
The group further added, “This is just the latest actions by Tortoiseshell. Previous research showed that the actor was behind an attacker on an IT provider in Saudi Arabia. For this campaign Talos tracked, Tortoiseshell used the same backdoor that it has in the past, showing that they are relying on some of the same tactics, techniques and procedures (TTPs).”
How Does This Fake Veteran-Hiring Website Spread Malware?
Obviously, the malware targets U.S. veterans. So, if they are not tech-savvy or are completely unaware that this bogus veteran-hiring website has malware, they quickly get lured into doing what they’re asked.
Here’s how it works. When they visit the site, they will be prompted to download a program for their device. For Windows computers, the malware comes in a zip file that contains a program named win10.exe.
Once the program is launched, a tiny loading screen will pop up, stating that “Hire Military Heroes is a new resource for hiring armed forces.” It is trying to convince victims that it’s currently connecting to the database.
The truth is that while the screen is being displayed, the malware is already downloading two other malware entities and saving them into the computer.
Later on, an alert will be flashed on the screen, saying “Your security solution is terminating connections to our servers.” The fake alert is only being displayed to make the program appear safe and legitimate.
At this point, two malware entities have already been downloaded and are running in the background. The first malware is made to gather information about the victim and the computer, while the other one executes all the commands given by the attackers.
How Does the Malware Collect User Information?
The first malware entity that is downloaded will run a total of 111 commands. All of them are intended to collect every bit of information about the victim and the computer.
Once executed, the commands will list all the files present on the computer, information about the drive, all the active processes, helpful networking information, all the network shares, the firewall data, the existing user accounts configured on the device, and other details.
After all information is gathered, everything will be saved into a file named %Temp%\si.cab. It will then be sent back to the attackers using the victim’s Gmail email credentials.
How Does the Malware Execute the Commands Sent by the Attackers?
As mentioned, there are two malware entities that are downloaded onto the victim’s computer. The first one will gather information, while the second will execute whatever command is sent by the attackers.
The second malware entity takes the form of a remote access Trojan. It will be installed as a Windows service and is named dllhost. Since it is configured to start automatically, it should run every time Windows starts.
Once active, the Trojan will communicate back to its creators and control servers. Through these servers, the malware receives commands to upload files, terminate services, or even execute other commands.
Until now, it is not known how the malware is distributed. Researchers even said that “At the time of publication, we do not have a method of distribution used, nor do we have proof of this existing in the wild. The level of sophistication is low as the .NET binary used has poor OPSEC capabilities, such as hard-coded credentials, but then other more advanced techniques by making the malware modular and aware that the victim already ran it.”
They also added, “There is a possibility that multiple teams from an APT worked on multiple elements of this malware, as we can see certain levels of sophistication existing and various levels of victimology.”
Malware Prevention Tips
Should you wish to get your computers protected against malware entities, you should take preventive measures. Here are some handy tips to take into consideration:
Tip #1: Install Anti-Malware Software.
This may seem like an obvious tip, but many prefer to disregard it. Yes, your computer may already have built-in anti-malware protection. However, you can never be so sure. We suggest that you install trusted third-party anti-malware software on your computer to take security to the next level. After installing an anti-malware tool, your next course of action is to ensure your OS is up to date.
Tip #2: Keep Your Operating System Updated.
Regardless of whether you are running macOS, Linux, or Windows, it is your job to always keep it up to date. The developers of your OS are always working to release security patches that aim to fix previously reported bugs and issues.
Tip #3: Make Sure Your Network Is Secure.
We all use our computers to connect to printers, other computers, and, of course, the internet. Making sure that all your connections are secure requires the use of a strong password.
Also, if possible, do not broadcast an open WiFi network. It is ideal to use the WPA or WPA2 encryption as WEP is already outdated. In just a couple of minutes, hackers can already bypass the WEP encryption.
It is also a great idea to avoid broadcasting your SSID or your WiFi network’s name. Although this may mean you will have to manually set up the network on your device, it also suggests a more secure network.
Tip #4: Think Before You Click.
This is another tip that requires the use of common sense. If you do not know the sender of an email, avoid clicking on anything. Make it a habit to hover over the link first to know where it will take you. In addition, if you need to download a file from the web, scan it first before running it.
Tip #5: Avoid Connecting to Open WiFi Networks.
When you are in public places like the library, coffee shop, or airport, avoid connecting to an open WiFi network. Be sure that you do this, especially if you are accessing bank apps or highly confidential documents. There is a chance that attackers are on the same network, patiently waiting for their next victim to fall into their bait.
Tip #6: Have a Backup of Your Important Files.
When worse comes to worst, the best thing you can do is have a backup of your important files. Ideally, you should have the backup stored on a separate storage device. This way, when the time comes you can no longer open your computer, you can easily restore the backup and have your files and documents ready on another device.
Tip #7: Take Action.
All the tips and information shared here are futile if you don’t do anything. Of course, you have to take the initiative and do whatever you can to prevent malware attacks. If you don’t install anti-malware software, then there will come a time when threats will find a way to wreak havoc on your system.
The point here is to take action. Just sitting there in front of your computer won’t do anything against malware entities.
Summary
As what they always say, “If it’s too good to be true, then it probably isn’t.” Think about it. You have to earn jobs. You can’t easily land one by just downloading programs or apps. If you ever find a website that tells you to download a program to help you land a job, close it right away. C’mon, you can always find decent jobs on many legit websites.
Be smart. Don’t be fooled by these fraudulent tactics. Implement preventive measures so hackers won’t find a way to steal crucial information from you.
Have you encountered other similar malware entities before? How did you deal with them? Let us know in the comments.