A newly found threat group called TortoiseShell by safety scientists compromises IT providers in supply chain assaults that appear to reach a particular client network.
The actor’s earliest sign of activity was monitored until July 2018, but it may be working for a longer period. The last time the threat group was actively seen was in July two months ago.
Custom malware and government instruments are used by the group
Symantec security scientists recognized 11 TortoiseShell-hit organisations. Most goals are based in Saudi Arabia and there are sufficient clues in at least two instances to the conclusion that the attacker has the rights of a domain administrator that has access to any network-based system.
TortoiseShell infected hundreds of hosts with two of the victims, probably because they had to discover the devices of concern, the scientists claim.
“This is an unusually large number of computers to be compromised in a targeted attack,” Symantec says in a report published today.
Researchers say the group uses custom malware as well as ready-made malware for its activities. The syskit trojan, a customized backdoor found on August 21, is a threat TrotoiseShell uses.
The malware transmits system-related information from the compromised host to its control and control (C2). The details include (IP address, the working system version, the computer name, the MAC address, running applications and network connectivity), and the execution of instructions from C2 to download other malware and operate PowerShell to unzip a file or to launch commands into the command prompt.
The two info-grabbing malware can retrieve information about the machine they landed on and “Firefox information of all machine users.” These three malware parts are not complete arsenal of TortoiseShells because the actor relies on other data dumping instruments and backdoors of PowerShell.
Possible operations to overlap
It is uncertain how the opponent infects the objectives, but scientists think that the intruder has the access to a web server at least once.
This hypothesis is based on a web shell found on a victim that illustrates how malware is implemented in the network.
“On at least two victim networks, Tortoiseshell deployed its information gathering tools to the Netlogon folder on a domain controller. This results in the information gathering tools being executed automatically when a client computer logs into the domain.” – Symantec
Systems of one of the victims in Tortoise Shell had earlier been threatened with Poison Frog, a PowerShell backdoor connected in the past to other sophisticated threats, OilRig (a.k.a. APT34, HelixKitten).
In April 2019, Poison Frog was leaked to the public before the victim was compromised and a month before TortoiseShell instruments implemented. This leads to the premise that the OilRig actor was not necessarily engaged in two activities.
Symantec claims IT suppliers are an appealing target as they provide “high-level access to computers of their client,” an advantage that enables malicious updates to be sent and remotely accessed.
“This provides access to the victims’ networks without having to compromise the networks themselves, which might not be possible if the intended victims have strong security infrastructure, and also reduces the risk of the attack being discovered.” – Symantec
Another benefit of attacking a third-party service provider is that it is harder to define the true objective, and therefore the real purpose of the campaign as well. This also goes for TortoiseShell because scientists have no information on the specific IT providers ‘ client profiles.