19 September 2019

New TortoiseShell group hits 11 IT providers in Saudi Arabia to compromise their customers


New TortoiseShell group hits 11 IT providers in Saudi Arabia to compromise their customers

Researchers from cybersecurity firm Symantec discovered a new threat actor, which they refer to as TortoiseShell group, that targets IT providers in the Middle East with supply chain attacks intended to compromise the IT providers’ customers.

The earliest signs of activity of the group were tracked to July 2018, although it is possible that TortoiseShell has been around for much longer. The most recent TortoiseShell’s campaign was spotted in July 2019. The researchers have identified 11 organizations hit by the group, the majority of which are based in Saudi Arabia. In at least two cases the attackers managed to gain domain admin-level access, according to the report.

“Notable element of this attack is that, on two of the compromised networks, several hundred computers were infected with malware. This is an unusually large number of computers to be compromised in a targeted attack. It is possible that the attackers were forced to infect many machines before finding those that were of most interest to them,” Symantec said.

To compromise their targets the group used a unique malware called Backdoor.Syskit, which is a basic backdoor that can download and execute additional tools and commands. The backdoor comes in two versions - one is written in Delphi and the other one in .NET.

Backdoor.Syskit is run with the “-install” parameter to install itself. The backdoor collects and sends the machine’s IP address, operating system name and version, and Mac address to the C&C server using the URL in the Sendvmd registry key. All the gathered data is Base64 encoded.

The group is also using publicly available tools, such as Infostealer/Sha.exe/Sha432.exe, Infostealer/stereoversioncontrol.exe, and get-logon-history.ps1.

Infostealer/stereoversioncontrol.exe downloads a RAR file, as well as the get-logon-history.ps1 tool. It runs several commands on the infected machine to gather information about it and also the Firefox data of all users of the machine. It then compresses and transfers the collected data to a remote directory. Infostealer/Sha.exe/Sha432.exe tool has a similar functionality, gathering information about the infected machine.

After infecting the victim’s computer, Tortoiseshell uses several information tools to retrieve a range of information about the machine, such as IP configuration, running applications, system information, network connectivity etc.

“IT providers are an ideal target for attackers given their high level of access to their clients’ computers. This access may give them the ability to send malicious software updates to target machines, and may even provide them with remote access to customer machines. This provides access to the victims’ networks without having to compromise the networks themselves, which might not be possible if the intended victims have strong security infrastructure, and also reduces the risk of the attack being discovered. The targeting of a third-party service provider also makes it harder to pinpoint who the attackers’ true intended targets were,” the researchers concluded.

Back to the list

Latest Posts

New Wi-Fi chip bug affects over a billion of devices, including smartphones, tablets, laptops, and IoT gadgets

New Wi-Fi chip bug affects over a billion of devices, including smartphones, tablets, laptops, and IoT gadgets

Devices from Amazon, Apple, Google, and Samsung as well as some access points by Asus and Huawei, are found to be vulnerable to Kr00k.
27 February 2020
‘Cloud Snooper’ operation uses a unique combination of techniques to evade detection

‘Cloud Snooper’ operation uses a unique combination of techniques to evade detection

The attack involves piggybacking C2 traffic on a legitimate traffic, thus allowing to bypass firewalls.
26 February 2020
PayPal customers hit with fraudulent charges via Google Pay

PayPal customers hit with fraudulent charges via Google Pay

It's not clear what vulnerability is being exploited, but the issue may be related to a bug reported to PayPal a year ago.
25 February 2020