Iranian Hacker Website Targets US Veterans with Malware

Veterans Malware

Fake Military Veteran Hiring Website Targets US Veteran Job Seekers – Infects Computers with Malware

A malicious one-page website is targeting US Veterans who are looking for work. The scam website offers a free desktop app that supposedly helps readers search for jobs online. The website is believed to be the work of Iranian hacking group, Tortoiseshell.

The scam website was discovered by Cisco Talos Group.

The hackers were recently identified by Symantec as Tortoiseshell. Cyber security researchers at Symantec reported on the other hacking activities of this group just last week.

The one-page scam employment site has only three buttons that prompt Veterans to download a zip file which supposedly gives them a free desktop job search app. Rather than helping unsuspecting victims find jobs, it downloads malware to their computers.

hiremilitaryheroe scam website screenshot

The malware is a combination of an information stealing malware and a RAT malware.

The malicious website is Hiremilitaryheroes [.] com (do not go there)

The scam employment website is named close to a legitimate service run by the U.S. Chamber of Commerce, https://www.hiringourheroes.org. However, the two websites do not look similar and the real website has much more functionality. The legit site helps soon-to-be Veterans find jobs. Based on the close URL name, it appears to be that the spoof website targets that same group of the military population.

The website prompts readers to “Try our desktop app for free:”

The only interactive content on the scam website are the three buttons (pictured). When clicked, they initiate a download of a supposed job search desktop app. The downloaded files supposedly help Veterans find work.

Credit Cisco: Veterans Malware Installer 1 Screenshot

The three buttons link to compressed file downloads for Win 10, Win 8.0, and Win 8.1 The link path names imply each file is for different versions of MS Windows. Hovering over each button reveals a zipped file path with the following file names

Win 10 button /apps/win10.zip

Win 8.8 button /apps/win81.zip

Win 8.0 button /apps/win80.zip

Windows 8.0 is an old version of Windows released in 2012. IT was updated with Windows version 8.1 in 2013. The current version of Windows is 10.

If clicked the download begins. The installer checks if Google is reachable. If not, the installation stops. If it is reachable, the installer downloads two binaries from hxxp: // 199[.]187[.]208[.]75/MyWS.asmx/GetUpdate?val=UID:

One of the binary files is a tool used to perform a reconnaissance stage on the system and the second is the Remote Administrative Tool (RAT Malware).

The hacker can steal information such as the date, time, and computer drivers. The malware also gives the hacker information about the system such as security patches applied, processors, network configuration, hardware, firmware versions, domain controller, and admin name. This information is critical and is more than enough for a hacker to launch further cyber attacks.

The website is not secured with an SSL certificate. There is one third-party tracking cookie from mythemestre.com

What is Malware?

Malware is any kind of undesirable software or app on a laptop, tablet, smartphone, router, or other electronic device. Malware comes in many forms including ransomware, computer viruses, worms, adware, RAT malware, info stealers, and others. Often the goal of malware is to extract money from the device owner by locking up access and demanding a ransom. This type of malware is called ransomware.

Long-term malware campaigns have a low and slow approach a tactic seen with organized hacking groups. Malware can be used to steal information from the infected device and work to escalate privileges. It then spreads to other computers, hardware like routers, and entire IT network’s if it goes undetected. Most malware campaigns begin with email phishing attacks.

What is RAT Malware?

RAT malware is a type of malware that helps hackers increase their level of access on an infected device. For example, hackers attempt to gain admin access and root user privileges in order to access more files and sensitive information. Admin privileges let hackers control a computer, alter files and permissions, and launch further cyber attacks. Admin privileges also help hackers spread malware to other machines and infect entire networks.