Researchers have unmasked a website masquerading as a job site for U.S. veterans that may have ties to Iran, according to media reports.
Researchers from security firm Cisco Talos reported this week that the website, Hire Military Heroes, was distributing malware that allows hackers to gain control of the victim’s computer, as reported by Bleeping Computer.
An interesting twist is that the hackers may also be targeting active servicemen and not just veterans, according to ZDNet, which cites that Iran may be behind the attack.
A cybersecurity analyst from the Department of Homeland Security, speaking on background, told ZDNet that the attackers are aiming at military networks.
"They [the hackers] are hoping that one of their targets would use a DOD system to download and run the malware," the analyst told the news outlet. "Chances are low, but it's worth a shot…Pretty clever approach, if I can say so,” the analyst added, referring to the Department of Defense.
Fox News has reached out to Cisco regarding Iran's reported involvement with the hack.
The bad actor had been previously identified by Symantec as Tortoiseshell, a group behind a previous attack on an IT provider in Saudi Arabia, according to Cisco Talos.
The fake veterans website has three links to download a desktop app for free — but the app is actually a fake installer. When the fake installer starts, the progress bar almost fills up entirely and then displays an error message.
“The installer checks if Google is reachable. If not, the installation stops. If it is reachable, the installer downloads two binaries [files],” according to Cisco Talos.
One of the binary files is used to perform “reconnaissance” on the system and the second is the Remote Administrative Tool.
“The attacker retrieves information such as the date, time and drivers," Cisco Talos researchers wrote in the report. "The attacker can then see information on the system, the patch level, the number of processors, the network configuration, the hardware, firmware versions, the domain controller, the name of the admin, the list of the account, etc. This is a significant amount of information relating to a machine and makes the attacker well-prepared to carry out additional attacks.”
Both the amount and the kind of information that is targeted makes the attacks particularly dangerous, Warren Mercer, a researcher at Cisco Talos, told Fox News.
“When you focus on the agenda of the attackers, it’s unlikely to be a garden variety attack…they certainly wanted something much more meaningful than your cat pictures,” Mercer said.
Mercer added that it’s difficult to assess the effectiveness of this attack since it was discovered before the operation went into high gear. “We did not identify any ‘in-the-wild’ activity associated and since our publication, the threat actor’s website is now unavailable.”