Earlier this year researchers at Symantec identified a threat actor that was targeting various IT providers in Saudi Arabia. The attacks were carried out with custom malware by a group called Tortoiseshell that was thought to be active since roughly July 2018. Tortoiseshell at the time was engaging in supply-chain attacks with the goal of gaining access to customer data held by the 11 IT providers that were successfully compromised. Not satisfied with this, however, it seems that Tortoiseshell is branching out into other target areas.
According to a recent blog post from Cisco Talos Intelligence, it appears that Tortoiseshell has shifted focus from civilians in the Middle East to ex-military members in the United States. The threat actors are specifically attempting to trick veterans looking for employment into using their hoax website hxxp://hiremilitaryheroes.com and infect them with malware. The website in question tries to look similar U.S. Chamber of Commerce’s employment resource for veterans and hopes that visitors will not notice the difference in URLs.
The Tortoiseshell website infects visitors by tricking them into downloading an executable for a fake desktop application. Once the fake downloader is executed, it begins to proceed with a smoke-and-mirrors show that leads the user to believe the program is being installed. The “application” then freezes on a nearly full installation progress bar and it is here that the malware begins to take effect.
Cisco Talos researchers state the following about the malware’s processes:
The installer checks if Google is reachable. If not, the installation stops. If it is reachable, the installer downloads two binaries from hxxp://199[.]187[.]208[.]75/MyWS.asmx/GetUpdate?val=UID… The downloaded binaries are stored in base64. One of the binaries is a tool used to perform a reconnaissance stage on the system and the second is the Remote Administrative Tool. The RAT is executed as a service. The installer installs the service first (for the -install argument) and then stops/starts the service with the command and control (C2) server IP in argument… If something fails during the installation, an email is sent to the attacker. The credentials are hardcoded in the installer. The email account is [email protected][.]com and the error email is sent to [email protected][.]com… The downloaded reconnaissance tool is named “bird.exe” on the system and the internal name is Liderc… The purpose is to collect a lot of information on the victim machine.
With the shift from civilians to individuals with ties to the U.S. military, one has to wonder just what exactly is motivating Tortoiseshell. It is too early to tell if there is a nation-state or cyberterrorism angle, but this cannot be ruled out either. Tortoiseshell isn’t looking for a payday like most cybercriminals, but rather they are looking to gather as much information as possible. This is one threat actor to keep an eye on.