In a recent surge of cyber incidents, the Iranian threat group known as Tortoiseshell has been linked to a series of watering hole attacks involving a new strain of malware referred to as IMAPLoader. This type of malware is designed to gather information from compromised systems and function as a downloader for additional malicious payloads, exploiting vulnerabilities in systems utilized by specific sectors.
According to a recent analysis by the PwC Threat Intelligence team, IMAPLoader operates as a .NET executable capable of fingerprinting the victim’s environment through native Windows tools. The malware employs email as a command-and-control channel, enabling it to execute payloads retrieved from email attachments. The specifics of this execution process are facilitated by new service deployments on the targeted systems.
Tortoiseshell has a documented history of strategic website compromises as part of its cyber operations, dating back to at least 2018. This group’s activities have been increasingly directed towards the maritime and logistics sectors, particularly in the Mediterranean region. Earlier this year, ClearSky Cyber Security highlighted Tortoiseshell’s association with breaches affecting various Israeli companies in the shipping, logistics, and financial fields.
The group operates in alignment with the Islamic Revolutionary Guard Corps (IRGC) and is recognized under alternate designations such as Crimson Sandstorm, Imperial Kitten, TA456, and Yellow Liderc. Their approach combines sophisticated tactics aimed at gathering intelligence on high-value targets, employing methods such as embedding malicious JavaScript in compromised legitimate websites, which allows them to collect sensitive data including visitor locations and device specifics.
The current wave of attacks utilizing IMAPLoader appears to have moved away from a previous Python-based implant used by Tortoiseshell in prior incidents. IMAPLoader is said to query hard-coded Internet Message Access Protocol (IMAP) accounts, particularly accessing a deliberately misspelled folder named “Recive” to download executables from malicious email attachments.
Additionally, Tortoiseshell has implemented initial attack vectors that involve sending decoy Microsoft Excel documents, initiating complex multi-stage processes for deploying IMAPLoader. This tactic reflects a diverse range of methods employed by the group to achieve its broader strategic objectives.
Amid these developments, PwC has also noted the creation of phishing sites by Tortoiseshell targeting the travel and hospitality sectors in Europe, designed to harvest user credentials through deceptive Microsoft sign-in pages. This highlights the ongoing and evolving nature of the threat landscape.
Overall, Tortoiseshell continues to represent a significant cybersecurity threat to various industries, particularly within maritime and logistics, as well as in sectors involving defense and nuclear operations in the United States and Europe. The group’s adaptive techniques, aligned with the MITRE ATT&CK framework’s Tactics such as Initial Access, Execution, and Persistence, underline the importance for organizations to maintain vigilance and enhance their cybersecurity posture to mitigate such sophisticated threats.
