Analysis of Iranian Threat Actor ‘Tortoiseshell’

Executive Summary 

Tortoiseshell is an Iranian Threat actor group, also known as Imperial Kitten, Yellow Liderc, Crimson Sandstorm, and TA456. It is aligned with the Iranian Revolutionary Guard Corps (IRGC). A new wave of watering-hole attacks that deploy a malware known as iMAPLoader have been attributed to Tortoiseshell. A watering hole attack is a cyberattack in which the attacker compromises a website or online resource frequently visited by the target victim. Besides the current iMAPLoader technique, the group is also associated with other campaigns including those known as LEMPO and SysKit. The Microsoft .NET software framework seems to be the common element in the attack campaigns used by this threat actor.

The threat actor poses a threat to many industries and countries, including the maritime, shipping and logistics sectors within the Mediterranean; nuclear, aerospace and defense industries in the US and Europe; and IT managed service providers in the Middle East.

Tortoiseshell has been active since 2018 with new campaigns appearing in 2022 and 2023. This group has been observed using a wide variety of different tactics and techniques to infect victims. However, attacks are trending toward increased use of the iMAPLoader technique.

Malware Analysis: iMAPLoader

Attack Vector

An initial attack vector seen used by this Threat actor group is conducting phishing emails that can inject a Microsoft Excel decoy document as the multi-stage process. They have also been seen attempting credential harvesting attacks using fake Microsoft sign-in pages.

Attack Details

The first stage of the attack involves reconnaissance. Their attacks start by embedding malicious JavaScript in a compromised and legitimate website to gather intelligence about the visitors including their location, device information, and time of visits.

Stage 2 involves a follow up payload known as the IMAPLoader. As they deem victims a high-value target. IMAPLoader is a .NET malware that has the ability to fingerprint victim systems using native Windows utilities and download further payloads. They use Excel-DNA XLL plugin that enables .NET integration into Microsoft Excel Files.

Stage 3 involves a DLL side-loading technique with a file labeled as JobTitle.dll executable. It writes C# source code file. This is then compiled into a .NET DLL file called sign.dll.

The last stage involves establishing C2 communication channels. Fingerprinting is established at every new payload execution. They create new processes and execute the cmd.exe process.

Tactics, Techniques, and Procedures (TTPs)

TTPs are Tactics, Techniques, and Procedures. They describe the methods, strategies, and specific actions that cyber threat actors such as hackers, and malware authors use to achieve objectives such as unauthorized access, data theft, or disruption.

Resource Development

1. T1585.002 - Establish Accounts: Email Accounts
2. T1587.001 - Develop Capabilities: Malware

Compromise Infrastructure

T1584 - Compromise Infrastructure

Reconnaissance

T1592 - Gather Victim Host Information

Initial Access

T1189 - Drive-by Compromise

Execution

1. T1059.007 - Command and Scripting Interpreter: JavaScript
2. T1059.003 - Command and Scripting Interpreter: Windows Command Shell
3. T1204.002 - User Execution: Malicious File

Persistence

1. T1053.005 - Scheduled Task/Job: Scheduled Task
2. T1547.001 - Boot or Logon AutoStart Execution: Registry Run Keys / Startup Folder

Defense Evasion

1. T1036.004 - Masquerading: Masquerade Task or Service
2. T1055.001 - Process Injection: Dynamic-link Library Injection

Discovery

1. T1082 - System Information Discovery
2. T1016 - System Network Configuration Discovery
3. T1033 - System Owner/User Discovery
4. T1083 - File and Directory Discovery

Command and Control

T1071.003 - Application Layer Protocol: Mail Protocols

Exfiltration

T1041 - Exfiltration Over C2 Channel

Malware Analysis: LEMPO

Attack Vector

The initial attack vector used in this campaign is Phishing Emails containing a OneDrive URL and an Excel sheet embedded with malicious Macros. Most of these behaviors are blocked by Proofpoint.

Attack Details

Stage one starts by sending the victim an email that contains a .xlsm file that contains an ingenious plaintext stealer comprised of Visual Basic Script (VBS).

The Excel macro adds a registry key: (HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Schedule /t REG_SZ /d C:\Users\[redacted_username]\AppData\Perflog\Schedule.vbs /f) to ensure the malware is ran upon user login.

Stage three involves a command and control server to access a Remote Trojan that does reconnaissance on the victim being referred to as LEMPO. They record the collected data and then exfiltrate the intelligence to an actor-controlled email account using Microsoft’s Collaboration Data Objects (CDO). CDO, previously known as OLE Messaging or Active Messaging, is an application programming interface included with Microsoft Windows and Microsoft Exchange Server products.

LEMPO checks connectivity by reaching out to Yandex, Google, Yahoo, Github, Mailchimp, Mega, Arxiv, and Twitter using ping and curl.

After finishing that additional recon, LEMPO moves Logs.txt from %temp% to \Perflog. LEMPO then checks to ensure the Registry Key previously mentioned has been added and then uses the findstr command to identify files containing “user,” “pass,” and “vpn.” The findstr command returns any matching lines which could collect usernames and passwords from the computer. Logs.txt is then compressed into Logs.zip

The last stage is exfiltration. LEMPO uses hardcoded credentials with Microsoft’s CDO to exfiltrate the information over SMTPS on port 465.

Tactics, Techniques, and Procedures (TTPs)

Initial Access                    

T1566 - Social Engineering

Execution

1. T1204.002 - Malicious Attachment
2. T1204.002 - Macro ExecutionPersistence
3. T1547.001 - Registry Run Keys/Startup Folder

Command and Control

T1041 - Exfiltration Over Command-and-Control Channel

Collection

1. T1113 - Screen Capture
2. T1056 - Input Capture

Exfiltration

1. T1041 - Exfiltration Over Command-and-Control Channel
2. T1048 - Exfiltration Over Alternative Protocol

Defense Evasion

1. T1140 - Deobfuscate/Decode Files or Information
2. T1036 – Masquerading
3. T1027 - Obfuscated Files or Information

Discovery

1. T1012 - Query Registry
2. T1082 - System Information Discovery
3. T1016 - System Network Configuration Discovery
4. T1087 - Account Discovery
5. T1083 - File and Directory Discovery

Impact

T1485 - Data Destruction

Malware Analysis: SysKit

Attack Vector

This malware is a custom backdoor that can download and execute additional tools and commands. TortoiseShell has developed it in both Delphi and .NET. The threat actor was also observed using PowerShell backdoors.

Attack Details

Backdoor.Syskit is run with the “-install” parameter to install itself. the primary functionality is the following: It reads config file: %Windir%\temp\rconfig.xml, then it writes Base64 encoding of AES encrypted (with key "fromhere") version of the data in the "url" element of the XML.

This all goes to HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\Enablevmd.

The malware connects to a Command-and-Control server and data is sent to the server in Base64 encoding. The backdoor can also receive various commands to kill the process or a variety of other file commands such as deleting the config file.  

Tactics, Techniques, and Procedures (TTPs)

Initial Access

T1190 - Compromised Web Server

Execution

1. T1204.002 - Custom Malware Execution
2. T1202 - Living off the Land (LotL)

Persistence

T1547.001 - Registry Modification for Persistence

Collection

1. T1005 - Information Gathering
2. T1002 - Data Compression

Command and Control

1. T1043 - Communication Through C&C Server
2. T1102.001 - C&C URL Construction

Defense Evasion

1. T1070.004 - Deletion of Configuration Files
2. T1489 - Service Termination

Lateral Movement

T1021.001 - Deployment to Netlogon Folder

‍