- Published: Sunday, 29 September 2019
In recent years, the Iranian government has emerged as a threat of global cyber espionage and attack. Iran is constantly escalating its efforts to deploy cyber-attack capabilities against Iranian dissidents as well as the critical infrastructure of other nations.
Tehran also uses social media platforms to spread misinformation and fake news.
On 26 September, Fox News reported that a malicious one-page website is targeting US Veterans who are looking for work. The scam website offers a free desktop app that supposedly helps readers search for jobs online. The website is believed to be the work of Iranian hacking group, Tortoiseshell.
The scam website was discovered by Cisco Talos Group.
Behind the scenes, the malware continues to operate on victims' computers, gathering information about the system's technical specs, and sending the data to an attacker-controlled Gmail inbox.
The type of data the malware collects includes information on the system, the patch level, the number of processors, the network configuration, the hardware, firmware versions, the domain controller, the name of the admin, the account list, date, time, drivers, etc..
"This is a significant amount of information relating to a machine and makes the attacker well-prepared to carry out additional attacks," said Warren Mercer, Paul Rascagneres, and Jungsoo An, the three Cisco Talos researchers who analyzed the malware.
But besides a data gathering component, the malware also installs a remote access trojan (RAT), a type of malware that can grant attackers access over an infected system.
The hackers' overall modus operandi appears to be to use the fake military veteran hiring website as a social engineering scheme to infect victims and then select which target they want to go after and download additional payloads. The attackers are clearly going after military networks.
The so-called Tortoiseshell hacking team, which was called out last week by Symantec for a coordinated and targeted cyber espionage campaign that hops from the networks of several major IT providers in Saudi Arabia to specific customers of the providers, is also known by CrowdStrike as Iranian hacking team Imperial Kitten.
Tortoiseshell deploys a remote access Trojan named "IvizTech," which matches the code and features Symantec detailed in its report on the backdoor.
It's unclear how exactly the attackers lure potential victims and whether the site is actively infecting victims at this point. Cisco Talos researchers say the creators thus far have employed weak operations security of their own, leaving behind hard-coded credentials, for instance.
"There is a possibility that multiple teams from an APT worked on multiple elements of this malware, as we can see certain levels of sophistication existing and various levels of victimology," the researchers wrote in their blog post about the threat