A previously undocumented attack group, given the name the Tortoiseshell Group, is targeting middle eastern IT firms in an apparent supply chain move against their customers. Researchers at Symantec have discovered 11 IT firms, mostly in Saudi Arabia, that have been hit by the group.
The group is using both custom and off-the-shelf malware, and has been active since at least July 2018. The unique component of their weaponry is Backdoor Syskit, which was developed in both Delphi and .NET.
Syskit has been found with a number of minor variations, but the basic functionality remains the same. It is run with the “-install” parameter. It reads the config file: %Windir%temprconfig.xml, and writes C&C information to the registry before deleting the config file.
The researchers explain that the malware collects and sends the machine’s IP address, operating system name and version, and Mac address to the C&C server using the URL stored in the registry. Data sent to the C&C server is Base64 encoded.
Incoming, the malware accepts a number of commands: ‘kill_me’ (stops the dllhost service and deletes %Windir%tempbak.exe); ‘upload’ (downloads from an URL provided by the C&C server); and ‘unzip’ (uses PowerShell to unzip a specified file to a specified destination, or to run cmd.exe /c <received command>).
Other tools used by the group include Infostealer and get-logon-history.ps1 (downloaded by Infostealer). The latter gathers information from the machine and the Firefox data of all users, compresses it, and transfers it to a remote directory. Infostealer does the same with further machine data.
The initial infection vector has not been confirmed. However, the researchers note that in one case a web shell was discovered, indicating “that the attackers likely compromised a web server, and then used this to deploy malware onto the network.”
On at least two victim networks, the information gathering tools were deployed to the Netlogon folder on a domain controller. “This activity indicates the attackers had achieved domain admin level access on these networks,” say the researchers, “meaning they had access to all machines on the network.” They also note that on two of the compromised networks (they don’t say if it is the same two), “several hundred computers were infected with malware… It is possible that the attackers were forced to infect many machines before finding those that were of most interest to them.”
On one of the victim networks, they also found that Poison Fog had been deployed one month prior to the Tortoiseshell tools. Poison Fog is a variant of BondUpdater, which has previously been used on attacks in the Middle East and has been associated with APT34 (aka OilRig). Symantec doesn’t believe that the two incidents are related, but takes it as an indication that multiple attack groups are operating in the area.
APT34 has been active since at least 2014, and has been linked to Iran. In July 2019, FireEye reported an APT34 campaign targeting primarily energy and utilities, government, and oil and gas industries in the Middle East.
Since the Tortoiseshell group activity is focused on IT companies, Symantec believes it is a wide-ranging supply chain attack seeking to gain access to the firms’ customers. Supply chain attacks have been increasing in recent years, with a 78% increase reported during 2018. NotPetya was a supply chain attack, where the M.E.Doc accounting software was infected and subsequently pushed out to M.E.Doc’s customers.
“IT providers are an ideal target for attackers given their high level of access to their clients’ computers,” note the researchers. “This access may give them the ability to send malicious software updates to target machines, and may even provide them with remote access to customer machines.” One successful attack against the supply chain could provide easy and stealthy access to multiple targets that are likely to be well defended.
However, Symantec doesn’t have access to the IT companies’ client list, so cannot tell whether these attacks are designed to compromise as many customers as possible, or aimed at one or more specific targets. At the same time, it says, “we currently have no evidence that would allow us to attribute Tortoiseshell’s activity to any existing known group or nation state.”