In certain countries, the populace holds a deep bond with their armed forces. Reasons such as patriotism, giving back and love for freedom can often be attributed to such emotions and this holds true for the USA as well. Therefore, its own way, The U.S Chamber of Commerce hosts an online website at “hiringourheroes.org” to help armed forces veterans find jobs.
However, attackers seem to have found ways to bend this to their advantage. Exploiting the impact and need of the site, recently, a pretender website with the URL of “hiremilitaryheroescom” was discovered distributing malware by prompting users to download an application for computers based on the Windows OS.
Once downloaded, the app suddenly halts during the installation process citing a database connection error. Cleverly putting up a show of diagnosis, it reaches Google if possible and downloads two binaries storing them in Base64.
One of these is a reconnaissance tool named bird.exe with the other being a remote administration tool(RAT) named “IvizTech” which is executed. While the former is used for collecting crucial information about the victim’s device, the latter is used for conducting four functions which include the ability to download files, executing code and commands among others.
The malicious actors in question had been identified as Tortoiseshell by Symantec a few days ago when they targeted certain groups in Saudi Arabia. This time when Talos discovered the current attack campaign, it understood that they have been utilizing their previously used tactics, techniques, procedures and even the same backdoor – a precautionary level far from the standards set by the black hat community.
The takeaway from this can only be an iteration of common security principles thrown around in the security industry but seldom paid heed to. Typosquatting or more commonly known as URL hijacking is a common method employed by criminals – nothing unseen before.
If users who happen to be mostly military veterans, in this case, followed standard principles of double-checking URLs and not downloading files from untrusted sources, they could have remained safe and avoided being the victim.