A “threat group” previously identified as being behind a set of attacks on IT providers in Saudi Arabia has now been spotted targeting US military veterans and companies with a malicious webpage that purports to be an employment site. According to a report posted today by Cisco Talos researchers Warren Mercer, Paul Rascagneres, and Jungsoo An, the site offers a free desktop client—which is in fact a spyware installer.
Symantec identified the group in a threat intelligence post earlier this month. Called Tortoiseshell, the group has been connected with attacks on 11 companies, the majority of which are located in Saudi Arabia. All of the attacks used the same remote access tool, Backdoor.Syskit by Symantec, coded in both Delphi (the Object Pascal programming language originally introduced by Borland) and Microsoft .NET.
A very similar backdoor is part of a package dropped by the website discovered by Talos, hiremilitaryheroes.com. Still live, the site itself has no content other than three links to “try our desktop app for free”—for Windows 10, Windows 8.1 and Windows 8. The “app” is a fake installer, which, when the malware installation is complete, displays an error message that claims “your security solution is terminating connections to our servers.”
While it’s running, the installer checks to see if it can reach Google—a measure to check to see if it is being run in a security sandbox. If it can’t, it shuts down. But if it connects, it downloads two files from a server hosted by a company in Atlanta: a reconnaissance tool and the backdoor. If something fails during the download, the installer sends an email to a Gmail address from another Gmail address (ericaclayton2020@gmail.com), the credentials for which are hard-coded in the installer.
The reconnaissance tool, with the filename “bird.exe,” is internally named Liderc—a mythical being from Hungarian folklore that evolves from a chicken into a succubus. It performs a thorough collection of data about the system it was installed on, including date, time, installed drivers, patch level, network configuration, domain controller, name of the administrator account, and a list of other accounts available. It also checks the screen size via Windows Management Instrumentation, likely to again check if it is running in a sandbox. All this data is pushed back to the attacker, who could use it to craft attacks.
The backdoor, named “IvizTech” in this case, can execute commands on the infected system, upload and download files, use PowerShell to unzip and execute downloaded code, and—when commanded—uninstall and remove itself. The backdoor doesn’t work without the installer, as it receives the IP address of the command-and-control server as an execution argument when launched by the installer, a measure likely taken to prevent malware investigators from discovering the server.