{"id":57,"date":"2019-09-25T09:35:29","date_gmt":"2019-09-25T09:35:29","guid":{"rendered":"https:\/\/cybersecuritynews.com\/?p=57"},"modified":"2021-05-01T16:34:38","modified_gmt":"2021-05-01T16:34:38","slug":"us-military-veterans","status":"publish","type":"post","link":"https:\/\/cybersecuritynews.com\/us-military-veterans\/","title":{"rendered":"Hackers Hosting Fake Military Veterans Website to Drop Malware"},"content":{"rendered":"\n

Researchers discovered a fake website that posed as U.S. Military Veterans hiring service provider and drops the powerful malware by prompted users to download an app that turned out to be malware downloader.<\/p>\n\n\n\n

The app is also capable of deploying the other malware and dangerous spying tool to compromise the victims and steal the data from their system.<\/p>\n\n\n\n

The URL( hxxp:\/\/hiremilitaryheroes[.]com<\/em>) that hosting to drop the malware looks very similar to the U.S. Chamber of Commerce, https:\/\/www.hiringourheroes.org. <\/p>\n\n\n\n

Researchers believe that the Tortoiseshell group was behind an attacker on an IT provider in Saudi Arabia<\/a> and also the malware using backdoor that is same as their use for the previous campaign.<\/p>\n\n\n\n

U.S. Military Veterans Hiring Service <\/strong><\/h2>\n\n\n\n

The fake website names as “Hire Military Heroes” which includes the images of a movie “Flags of our Fathers.” and quoted as “we make America safer”<\/p>\n\n\n\n

Also, the website claims that the desktop app is completely free by directing to users via three links but the app is totally fake and it acts as an installer.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

The fake installer called the original malware installer to execute into the system and it starts showing the error message and claims that the security solution terminating the connection to the server.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

During the process of infection, the installer checks whether it can able to reach Google if no then the process will be terminated. if yes then it downloads two binaries which are stored in base64 from hxxp:\/\/199[.]187[.]208[.]75\/MyWS.asmx\/GetUpdate?val=UID<\/em>: <\/p>\n\n\n\n

Researchers observed that one of the binaries act as a tool to perform the reconnaissance stage and another binary is a remote admin tool, an executed as a service.<\/p>\n\n\n\n

According to Talos researchers <\/a>” If something fails during the installation, an email is sent to the attacker. The credentials are hardcoded in the installer. The email account is ericaclayton2020@gmail[.]com and the error email is sent to marinaparks108@gmail[.]com. “<\/p>\n\n\n\n

The malware has some of the interesting features which including the following<\/p>\n\n\n\n