New TortoiseShell Group Hacks 11 IT Providers to Reach Their Customers

A newly discovered threat group that security researchers call TortoiseShell is compromising IT providers in what seems to be supply-chain attacks intended to reach the network of specific customers.

The earliest sign of activity from the actor has been tracked to July 2018, although it is possible that it has been operating for a longer time. The most recent time the threat group was seen active is two months ago, in July.

Group uses custom malware and public tools

Security researchers at Symantec identified 11 organizations that had been hit by TortoiseShell. Most of the targets are based in Saudi Arabia and in at least two cases there are enough clues to conclude that the attacker had privileges of a domain administrator, which come with access to all systems on the network.

With two of the victims, TortoiseShell infected hundreds of hosts, likely because they needed to find the machines that were of interest, the researchers say.

"This is an unusually large number of computers to be compromised in a targeted attack," Symantec says in a report published today.

The researchers say that the group relies on both custom and ready-made malware for their operations. One threat TrotoiseShell uses is the Syskit trojan, a custom backdoor discovered on August 21.

The malware sends to its command and control (C2) server system-related data belonging to the compromised host. Details include (IP address, version of the operating system, computer name, MAC address, running apps, and network connectivity.

It can also execute commands from the C2 be used to download other malware and launch PowerShell to unzip a file or run commands in the Command Prompt console.

Additional tools seen by Symantec are publicly available and count two info stealers and a PowerShell script:

The two info-grabbing malware can collect details about the machine they landed on and "Firefox data of all users of the machine."

These three pieces of malware are not TortoiseShell's full arsenal as the actor relies on other data dumping tools and PowerShell-based backdoors.

Possible overlapping ops

It is unclear how the adversary infects the targets but researchers believe that at least once, the attacker got access by compromising a web server.

This assumption is based on a web shell discovered at one victim, which explains how malware was deployed on the network.

Systems of one TortoiseShell victim had been previously compromised with Poison Frog, a PowerShell-based backdoor associated in the past with activities from another advanced threat, OilRig (a.k.a. APT34, HelixKitten) linked to the Iranian government.

Poison Frog was leaked to the public in April 2019, before the victim had been compromised, and had been deployed a month before TortoiseShell tools. This leads to the assumption that there were two distinct operations, the OilRig actor not necessarily being involved.

Symantec says that IT providers are an attractive target because they offer "high-level access to their client's computers," an advantage that allows sending malicious updates and getting remote access to them.

Another advantage stemming from attacking a third-party service provider is that the true target is more difficult to identify, hence the real purpose of the campaign, too.

This also applies to TortoiseShell, as researchers do not have details on the customer profiles of the targeted IT providers.