Nature of the Threat
Tortoiseshell, a cyber threat group connected to Iran, has recently surged in watering hole attacks, deploying a malware strain known as IMAPLoader. Classified as a .NET malware, IMAPLoader possesses the ability to profile target systems using native Windows tools and functions as a downloader for additional malicious payloads. Its unique feature lies in its use of email as a Command-and-Control (C2, C&C) channel, executing payloads retrieved from email attachments and initiating execution through the deployment of new services.
Tortoiseshell’s Track Record
Operating since at least 2018, Tortoiseshell has a history of strategic compromises of websites to facilitate malware distribution. In early 2023, the group was identified as breaching eight websites linked to shipping, logistics, and financial services companies in Israel. Associated with the Islamic Revolutionary Guard Corps (IRGC), Tortoiseshell is recognized by various names in the cybersecurity community, including Crimson Sandstorm, Imperial Kitten, TA456, and Yellow Liderc.
Recent Wave of Attacks
From 2022 to 2023, Tortoiseshell employed a tactic involving embedding threatening JavaScript into compromised legitimate websites. This aimed to collect detailed information about visitors, including their location, device details, and the timing of their visits. The primary targets were the maritime, shipping, and logistics sectors in the Mediterranean region. High-value targets, in some instances, experienced subsequent deployments of the IMAPLoader as a payload.
IMAPLoader: A Multi-Stage Attack Component
IMAPLoader replaces a Python-based IMAP implant previously used by Tortoiseshell, showcasing similarities in functionality. Acting as a downloader for next-stage payloads, IMAPLoader queries hard-coded IMAP email accounts, specifically checking a mailbox folder misspelled as ‘Recive’ to retrieve executables from message attachments. An alternate attack chain involves using a Microsoft Excel decoy document as an initial vector, kick-starting a multi-stage process for the delivery and execution of IMAPLoader.
Phishing Sites and Credential Harvesting
Tortoiseshell has been found creating phishing sites, particularly targeting the travel and hospitality sectors within Europe. These sites aim to conduct credential harvesting using fake Microsoft sign-in pages, showcasing the group’s diverse tactics.
Protection and Mitigation
To defend against Tortoiseshell and similar threats:
- Stay Informed: Regularly update yourself on emerging cyber threats and tactics employed by threat actors.
- Email Hygiene: Exercise caution with email attachments and links, especially from unknown or suspicious sources.
- Network Security: Employ robust network security measures, including firewalls and intrusion detection/prevention systems.
- Employee Training: Educate employees on cybersecurity best practices, emphasizing the dangers of phishing and social engineering.
- Update Systems: Regularly update operating systems and software to patch vulnerabilities.
Detection Names
Various anti-virus software may identify IMAPLoader and related threats with detection names such as .NET/Tortoiseshell, TA456, or similar variants.
Conclusion
The emergence and evolution of Tortoiseshell’s tactics underscore the ever-evolving landscape of cybersecurity threats. Their adeptness in leveraging sophisticated attack vectors like watering hole attacks, embedding malicious JavaScript, and utilizing multifaceted delivery mechanisms with IMAPLoader highlight the need for heightened vigilance within the cybersecurity domain.
As this threat group’s activities continue to span across critical sectors, including maritime, logistics, aerospace, and defense industries, it’s imperative for organizations to adopt a proactive stance. Implementing robust security measures, fostering a culture of cybersecurity awareness among employees, and regularly updating defense mechanisms stand as crucial steps in fortifying against such targeted attacks.
Moreover, collaboration and information sharing among cybersecurity entities, both within and across sectors and countries, are pivotal. These collaborations foster a collective resilience against sophisticated threat actors like Tortoiseshell, enabling the exchange of threat intelligence and the development of more effective defense strategies.
In essence, the ongoing threat posed by Tortoiseshell emphasizes the need for a multi-layered approach to cybersecurity. By combining technological defenses, continuous education, and collaborative efforts, the cybersecurity landscape can become more resilient, effectively mitigating the risks posed by such advanced threat actors.
