Researchers from cybersecurity firm Symantec discovered a new threat actor, which they refer to as TortoiseShell group, that targets IT providers in the Middle East with supply chain attacks intended to compromise the IT providers’ customers.
The earliest signs of activity of the group were tracked to July 2018, although it is possible that TortoiseShell has been around for much longer. The most recent TortoiseShell’s campaign was spotted in July 2019. The researchers have identified 11 organizations hit by the group, the majority of which are based in Saudi Arabia. In at least two cases the attackers managed to gain domain admin-level access, according to the report.
“Notable element of this attack is that, on two of the compromised networks, several hundred computers were infected with malware. This is an unusually large number of computers to be compromised in a targeted attack. It is possible that the attackers were forced to infect many machines before finding those that were of most interest to them,” Symantec said.
To compromise their targets the group used a unique malware called Backdoor.Syskit, which is a basic backdoor that can download and execute additional tools and commands. The backdoor comes in two versions - one is written in Delphi and the other one in .NET.
Backdoor.Syskit is run with the “-install” parameter to install itself. The backdoor collects and sends the machine’s IP address, operating system name and version, and Mac address to the C&C server using the URL in the Sendvmd registry key. All the gathered data is Base64 encoded.
The group is also using publicly available tools, such as Infostealer/Sha.exe/Sha432.exe, Infostealer/stereoversioncontrol.exe, and get-logon-history.ps1.
Infostealer/stereoversioncontrol.exe downloads a RAR file, as well as the get-logon-history.ps1 tool. It runs several commands on the infected machine to gather information about it and also the Firefox data of all users of the machine. It then compresses and transfers the collected data to a remote directory. Infostealer/Sha.exe/Sha432.exe tool has a similar functionality, gathering information about the infected machine.
After infecting the victim’s computer, Tortoiseshell uses several information tools to retrieve a range of information about the machine, such as IP configuration, running applications, system information, network connectivity etc.
“IT providers are an ideal target for attackers given their high level of access to their clients’ computers. This access may give them the ability to send malicious software updates to target machines, and may even provide them with remote access to customer machines. This provides access to the victims’ networks without having to compromise the networks themselves, which might not be possible if the intended victims have strong security infrastructure, and also reduces the risk of the attack being discovered. The targeting of a third-party service provider also makes it harder to pinpoint who the attackers’ true intended targets were,” the researchers concluded.