We’ve already told you about how there are many opportunities for veterans in the AV industry. We’ve even detailed a PSA-based veteran hiring program that attempts to connect vets to solid AV jobs. Unfortunately, though, veteran hiring sites aren’t always as trustworthy as you’d hope.
According to a recent Ars Technica report, a threat group which was previously responsible for a set of cyber attacks on Saudi Arabian IT providers is now going after US military veterans and companies with a website under the guise of an employment site.
That site, hiremilitaryheroes.com, has links to download a “free desktop app,” which is actually spyware.
Symantec identified the group in a threat intelligence post earlier this month. Called Tortoiseshell, the group has been connected with attacks on 11 companies, the majority of which are located in Saudi Arabia. All of the attacks used the same remote access tool, Backdoor.Syskit by Symantec, coded in both Delphi (the Object Pascal programming language originally introduced by Borland) and Microsoft .NET. — Ars Technica report
The malware runs checks to see if it can reach Google, which is a means to see if it is being run in a security sandbox, says the report.
If all is clear, it downloads two files: a recon tool and a backdoor.
The backdoor, filename: “bird.exe,” collects data about the system it is installed on and checks the screen size and sends it back to the attacker. The backdoor, filename: “IvizTeck,” runs commands on the system, can upload and download files, and even uninstall itself.
“The backdoor doesn’t work without the installer, as it receives the IP address of the command-and-control server as an execution argument when launched by the installer, a measure likely taken to prevent malware investigators from discovering the server,” says Ars Technica.