Fake veteran hiring site downloads spyware instead of jobs

by
Sean Gallagher
from Ars Technica - All content on (#4R55N)
bad_website-800x326.jpg

Enlarge / This site will not make America safer.

A "threat group" previously identified as being behind a set of attacks on IT providers in Saudi Arabia has now been spotted targeting US military veterans and companies with a malicious webpage that purports to be an employment site. According to a report posted today by Cisco Talos researchers Warren Mercer, Paul Rascagneres, and Jungsoo An, the site offers a free desktop client-which is in fact a spyware installer.

Symantec identified the group in a threat intelligence post earlier this month. Called Tortoiseshell, the group has been connected with attacks on 11 companies, the majority of which are located in Saudi Arabia. All of the attacks used the same remote access tool, Backdoor.Syskit by Symantec, coded in both Delphi (the Object Pascal programming language originally introduced by Borland) and Microsoft .NET.

A very similar backdoor is part of a package dropped by the website discovered by Talos, hiremilitaryheroes.com. Still live, the site itself has no content other than three links to "try our desktop app for free"-for Windows 10, Windows 8.1 and Windows 8. The "app" is a fake installer, which, when the malware installation is complete, displays an error message that claims "your security solution is terminating connections to our servers."

Read 3 remaining paragraphs | Comments

index?i=cpTFPs-xPtk:voSeF14SZXg:V_sGLiPB index?i=cpTFPs-xPtk:voSeF14SZXg:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments