Security Response Attack Investigation Team
A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers’ customers.
The group, which we are calling Tortoiseshell, has been active since at least July 2018. Symantec has identified a total of 11 organizations hit by the group, the majority of which are based in Saudi Arabia. In at least two organizations, evidence suggests that the attackers gained domain admin-level access.
"#Tortoiseshell group uses custom malware, off-the-shelf tools, #livingofftheland techniques to compromise victims https://symc.ly/2lV4Ovn" Another notable element of this attack is that, on two of the compromised networks, several hundred computers were infected with malware. This is an unusually large number of computers to be compromised in a targeted attack. It is possible that the attackers were forced to infect many machines before finding those that were of most interest to them.
We have seen Tortoiseshell activity as recently as July 2019.
Custom tools
The unique component used by Tortoiseshell is a malware called Backdoor.Syskit. This is a basic backdoor that can download and execute additional tools and commands. The actors behind it have developed it in both Delphi and .NET.
Backdoor.Syskit is run with the “-install” parameter to install itself. There are a number of minor variations of the backdoor, but the primary functionality is the following:
reads config file: %Windir% emp
config.xml
writes Base64 encoding of AES encrypted (with key "fromhere") version of the data in the "url" element of the XML to:
HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionpoliciessystemEnablevmd
This contains the command and control (C&C) informa ..
Support the originator by clicking the read the rest link below.
