Tortoiseshell, an Iranian cyber-espionage group linked to the IRGC, has ramped up operations since its emergence in 2018, targeting defense, aerospace, and military organizations primarily in the US, Israel, and the Middle East. Utilizing social engineering, phishing, and a sophisticated malware toolkit, Tortoiseshell conducts espionage while evading detection and often employs fake personas to gain trust. Affected: Defense sector, Aerospace sector, IT providers, Energy companies, Military-linked organizations, NGOs
Keypoints :
- Tortoiseshell is linked to Iranian interests and backed by the IRGC.
- Primarily targets technology, defense, NGOs, government, financial, and transportation sectors.
- First emerged in 2019 with a focus on IT providers in Saudi Arabia.
- Utilizes custom malware and social engineering tactics including long-term phishing campaigns.
- Known for using fake social media personas to build trust with targets.
- Employs spear-phishing emails with malware-laced attachments targeting privileged individuals.
- Uses cloud platforms like Dropbox and Google Drive for malware hosting and data exfiltration.
- Has been active since at least July 2018, linking it to espionage operations in the Middle East.
- Defensive measures suggested include advanced email filtering, employee training, and multi-factor authentication.
MITRE Techniques :
- T1592: Gather Victim Host Information ā Utilizes reconnaissance to obtain target details.
- T1587.001: Develop Capabilities: Malware ā Creates custom malware for use in attacks.
- T1566: Phishing ā Employs phishing as a primary attack vector.
- T1189: Drive-by Compromise ā Executes drive-by downloads targeting users.
- T1059.007: Command and Scripting Interpreter: JavaScript ā Uses JavaScript for execution of commands.
- T1059.003: Command and Scripting Interpreter: Windows Command Shell ā Executes commands via Windows Shell.
- T1059.001: Command and Scripting Interpreter: PowerShell ā Implements PowerShell for script execution.
- T1204.002: User Execution: Malicious File ā Tricks users into executing malicious files.
- T1053.005: Scheduled Task/Job: Scheduled Task ā Employs scheduled tasks for persistence.
- T1547.001: Boot or Logon AutoStart Execution: Registry Run Keys / Startup Folder ā Uses registry for maintaining presence.
- T1036.004: Masquerading: Masquerade Task or Service ā Engages in masquerading to avoid detection.
- T1055.001: Process Injection: Dynamic-link Library Injection ā Injects code into other processes.
- T1082: System Information Discovery ā Gathers system configuration information.
- T1016: System Network Configuration Discovery ā Discovers network configurations of targets.
- T1033: System Owner/User Discovery ā Identifies system users and owners.
- T1083: File and Directory Discovery ā Conducts analysis of file structures for sensitive information.
- T1071.003: Application Layer Protocol: Mail Protocols ā Uses mail protocols for command and control.
- T1041: Exfiltration Over C2 Channel ā Exfiltrates data through command and control channels.
Indicator of Compromise :
- Malicious File: LEMPO malware
- Malicious File: MINIBIKE backdoor
- Malicious File: MINIBUS backdoor
- Domain: example[. ]com (used as an example placeholder)
- Domain: malicious[. ]com (used as an example placeholder)
Full Story: https://socradar.io/dark-web-profile-tortoiseshell-apt/