Threats Feed|Tortoiseshell|Last Updated 25/07/2024|AuthorCertfa Radar|Publish Date24/09/2019

Tortoiseshell Targets U.S. Military Veterans with Malicious Job Seeking Website

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Malware,RAT,Spyware
  • Attack Complexity: Medium
  • Threat Risk: Low Impact/High Probability

Threat Overview

Tortoiseshell deployed a fake website targeting U.S. military veterans seeking jobs. The site tricked users into downloading a malicious app that served as a malware downloader, deploying spying tools and other malware. The fake website had users download a fake installer, which downloaded two binaries: a reconnaissance tool and a Remote Administrative Tool (RAT). The reconnaissance tool collected extensive information about the victim's machine, while the RAT allowed further remote control.

Reference and Credit: Cisco Talos - September 2019

How Tortoiseshell created a fake veteran hiring website to host malware

Detected Targets

TypeDescriptionConfidence
SectorMilitary
Verified
RegionUnited States
Verified

Extracted IOCs

  • hiremilitaryheroes[.]com
  • spreadme[.]international
  • ericaclayton2020@gmail[.]com
  • marinaparks108@gmail[.]com
  • 1848f51d946fa8b348db8ef945a1ebff33ff76803ad26dfd175d9ea2aa56c7d0
  • 2682328bde4c91637e88201eda5f5c400a3b3c0bdb87438d35660494feff55cf
  • 2a9589538c563c006eaf4f9217a192e8a34a1b371a31c61330ce2b396b67fd10
  • 41db45b0c51b98713bc526452eef26074d034b2c9ec159b44528ad4735d14f4a
  • 46873290f58c25845b21ce7e560eae1b1d89000e887c2ff2976d931672390dd8
  • 51d186c16cc609ddb67bd4f3ecd09ef3566cb04894f0496f7b01f356ae260424
  • 55b0708fed0684ce8fd038d4701cc321fe7b81def7f1b523acc46b6f9774cb7b
  • 78e1f53730ae265a7eb00b65fbb1304bbe4328ee5b7f7ac51799f19584b8b9d4
  • c121f97a43f4613d0a29f31ef2e307337fa0f6d4f4eee651ee4f41a3df24b6b5
  • e82a08f1514ccf38b3ae6b79e67d7605cb20b8377206fbdc44ddadfb06ae4d0d
  • ec71068481c29571122b2f6db1f8dc3b08d919a7f710f4829a07fb4195b52fac
  • ed150d9f6e12b6d669bcede3b7dc2026b7161f875edf26c93296e8c6e99152d5
  • f1c05ff306e941322a38fffb21dfdb5f81c42a00a118217b9d4e9807743d7275
  • f31b5e14314388903a32eaa68357b8a5d07cbe6731b0bd97d2ee33ac67ea8817
  • 162[.]220.55.249
  • 185[.]43.108.134
  • 199[.]187.208.75
  • 66[.]42.78.193
  • hxxp://199[.]187.208.75/myws[.]asmx/getupdate?val=h7ddew3rfjid97fer374887sdnjdgsdte
  • hxxp://66[.]42.78.193/response/
  • hxxp://66[.]42.78.193/statement/
  • hxxp://hiremilitaryheroes[.]com/
download

Tip: 26 related IOCs (4 IP, 2 domain, 4 URL, 2 email, 14 file hash) to this threat have been found.

Overlaps

TortoiseshellTortoiseshell's Cross-Platform Espionage Targets Military and Defense Industries in US, UK, and Europe

Source: Meta - July 2021

Detection (two cases): hiremilitaryheroes[.]com, spreadme[.]international

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
Tortoiseshell
View Tortoiseshell's Insights