Researchers have attributed the website to a nation state hacking group known as “Tortoiseshell”, which has since been determined to be aligned with the Iranian hacking team “Imperial Kitten”. Adam Meyers, VP of intelligence at CrowdStrike noted in their research that “Imperial Kitten” is a nation-state hacking group supporting Iran’s Islamic Revolutionary Guard. The modus operandi for the group has been to first target major IT provider networks in Saudi Arabia and then to leapfrog from those provider networks to customer target networks. The Iranian group has been hosting a website with an image from the film “Flags of our Fathers” seen here. The malicious site prompts users to download their “desktop app” for free. The app is a fake installer that downloads malware to the device. The downloads are binary base 64 encoded and perform reconnaissance and provide remote administrative access to the victim’s machine.
The recon tool collects a vast amount of information from the system including, date and time, installed drivers, patch levels, network configuration, number of processors, hardware and firmware versions, a listing of accounts, and much more. This information is then sent to two hardcoded email addresses in the malware, “[email protected]” and “[email protected]”. The threat actors also deploy a Remote Access Tool (RAT) which reaches back to the Command and Control (C2) server for further directions from the hacking group. The RAT has functionality allowing it to download additional modules from the internet, zip and unzip files, and to execute commands on the system.
The malicious website has the potential to impact a large swath of victims due to the nature of this particular attack vector. Americans are supportive of veterans, and one could imagine how many could be infected if this fake site is shared online among social media sites.