A group that was recently discovered targeting IT providers as part of a supply chain attack process is now going after military veterans with a fake job site that installs a backdoor on victims’ machines that collects a wide range of data, and also drops a remote access tool that gives the attackers persistent access to compromised computers.
The new campaign is the work of the Tortoiseshell group, a relatively new threat actor that researchers at Symantec blamed for a recent supply chain attack on IT providers in Saudi Arabia and other countries. In that campaign, the attackers installed malware on machines in a number of different organizations, although researchers were unsure of the initial infection vector. The most recent campaign targeting veterans uses a simple infection method: downloading the malware directly from a website.
This campaign, uncovered by researchers with Cisco’s Talos Intelligence Group, makes use of a fake hiring site themed to attract military veterans or people transitioning out of the armed forces. The URL, hxxp://hiremilitaryheroes[.]com, is quite close to a legitimate hiring site operated by the United State Chamber of Commerce but the fake site consists of just one page with download links for a fake desktop app. If a victim clicks on one of the links, an installer appears and then displays an error message that makes it seem as if the installation has failed. If the victim’s machine is online, the installer then downloads a pair of binaries from a remote server.
“One of the binaries is a tool used to perform a reconnaissance stage on the system and the second is the Remote Administrative Tool. The RAT is executed as a service. The installer installs the service first (for the -install argument) and then stops/starts the service with the command and control (C2) server IP in argument,” Warren Mercer and Paul Rascagneres of Talos said in a post on the new campaign.
“The downloaded reconnaissance tool is named ‘bird.exe’ on the system and the internal name is Liderc. Liderc is a unique supernatural being of Hungarian folklore. The original form of this creature is a chicken, that would explain the name of the dropped PE on the system, ‘Bird.exe.’”
Once on the compromised system, the malware sets about collecting a variety of information about the machine, including installed drivers, the current date and time, and current patch level. It also gathers data on the configuration of the machine, such as the number of processors, the firmware versions, type of hardware, and network configuration. The malware sends that data back to the attacker in an email, which gives the attacker all the information necessary for further attacks on the machine.
In the campaign targeting the Saudi IT providers, Tortoiseshell installed a backdoor on compromised machines and the Talos researchers discovered the same backdoor in use in the campaign targeting veterans. The backdoor has a limited set of functions, but it can download remote files, execute commands, and unzip and execute code.
“This actor also deploys a RAT named "IvizTech" on the system. The code and features are similar to the ones outlined by Symantec. The IP is put in argument to the service. The attackers hoped that this would make it impossible to get to the C2, as the installer is needed — you can't just get there with the RAT itself. This allows an attacker to have a malware that they can add modules onto (no need to recompile when you want to update the C2). Requiring the installer also could make it more complicated for researchers to access the C2 and get hands-on analysis of the malware,” the researchers said.
The Talos team said it did not have any reports of successful compromises from this campaign and stressed that it was not the most advanced campaign.
"The level of sophistication is low as the .NET binary used has poor OPSEC capabilities, such as hard-coded credentials, but then other more advanced techniques by making the malware modular and aware that the victim already ran it. There is a possibility that multiple teams from an APT worked on multiple elements of this malware, as we can see certain levels of sophistication existing and various levels of victimology," Mercer and Rascagneres said.