19 September 2019

New TortoiseShell group hits 11 IT providers in Saudi Arabia to compromise their customers

New TortoiseShell group hits 11 IT providers in Saudi Arabia to compromise their customers

Researchers from cybersecurity firm Symantec discovered a new threat actor, which they refer to as TortoiseShell group, that targets IT providers in the Middle East with supply chain attacks intended to compromise the IT providers’ customers.

The earliest signs of activity of the group were tracked to July 2018, although it is possible that TortoiseShell has been around for much longer. The most recent TortoiseShell’s campaign was spotted in July 2019. The researchers have identified 11 organizations hit by the group, the majority of which are based in Saudi Arabia. In at least two cases the attackers managed to gain domain admin-level access, according to the report.

“Notable element of this attack is that, on two of the compromised networks, several hundred computers were infected with malware. This is an unusually large number of computers to be compromised in a targeted attack. It is possible that the attackers were forced to infect many machines before finding those that were of most interest to them,” Symantec said.

To compromise their targets the group used a unique malware called Backdoor.Syskit, which is a basic backdoor that can download and execute additional tools and commands. The backdoor comes in two versions - one is written in Delphi and the other one in .NET.

Backdoor.Syskit is run with the “-install” parameter to install itself. The backdoor collects and sends the machine’s IP address, operating system name and version, and Mac address to the C&C server using the URL in the Sendvmd registry key. All the gathered data is Base64 encoded.

The group is also using publicly available tools, such as Infostealer/Sha.exe/Sha432.exe, Infostealer/stereoversioncontrol.exe, and get-logon-history.ps1.

Infostealer/stereoversioncontrol.exe downloads a RAR file, as well as the get-logon-history.ps1 tool. It runs several commands on the infected machine to gather information about it and also the Firefox data of all users of the machine. It then compresses and transfers the collected data to a remote directory. Infostealer/Sha.exe/Sha432.exe tool has a similar functionality, gathering information about the infected machine.

After infecting the victim’s computer, Tortoiseshell uses several information tools to retrieve a range of information about the machine, such as IP configuration, running applications, system information, network connectivity etc.

“IT providers are an ideal target for attackers given their high level of access to their clients’ computers. This access may give them the ability to send malicious software updates to target machines, and may even provide them with remote access to customer machines. This provides access to the victims’ networks without having to compromise the networks themselves, which might not be possible if the intended victims have strong security infrastructure, and also reduces the risk of the attack being discovered. The targeting of a third-party service provider also makes it harder to pinpoint who the attackers’ true intended targets were,” the researchers concluded.

Back to the list

Latest Posts

Winnti Group uses new modular Windows backdoor against the gaming industry in Asia

Winnti Group uses new modular Windows backdoor against the gaming industry in Asia

The hacking group was planning a "devastating supply-chain attack" against a high-profile Asian mobile hardware and software manufacturer.
15 October 2019
FIN7 cybercriminal group returns with new tools and evasion techniques

FIN7 cybercriminal group returns with new tools and evasion techniques

The researchers discovered a new loader and a module that exploits the legitimate remote administration software used by the ATM maker NCR Corporation.
14 October 2019
New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

The Attor malware comes with some unusual capabilities including the use of encrypted modules, Tor-based communications, and a plugin designed for GSM fingerprinting.
11 October 2019
Featured vulnerabilities
Multiple vulnerabilities in ncurses
High Patched | 15 Oct, 2019
Cross-site scripting in NetCommons3
Low Not Patched | 15 Oct, 2019