Middle Eastern IT providers targeted in probable supply chain attack

• A new group called Tortoiseshell has hit IT providers in the Middle East, in a probable supply chain attack.
• This group was previously undocumented and has been observed to use both custom and off the shelf malware.

Tortoiseshell is believed to be active since at least 2018 and has targeted 11 organizations, most of which are in Saudi Arabia.

Possible supply chain attack

A supply chain attack exploits services and software to gain access to their customers’systems.

• The targeting of IT providers by this threat group, Tortoiseshell, has led researchers to believe that it might be a supply chain attack.
• This type of attack has been recorded to be on the rise over the past few years.
• In two of the attacks, hundreds of systems were found to be infected. This could mean that the group was infecting all the available machines to filter targets.
• There is also evidence to suggest that the attackers gained domain-level access to at least two of the affected organizations.

“IT providers are an ideal target for attackers given their high level of access to their clients’ computers. This access may give them the ability to send malicious software updates to target machines, and may even provide them with remote access to customer machines,” say researchers from Symantec in the blog.

There is not sufficient evidence to associate Tortoiseshell’s activity to any state or existing group.

Operation details

Tortoiseshell uses a unique malware called ‘Backdoor.Syskit’ that is developed in both Delphi and .NET.

• This malware opens a backdoor allowing the attackers to steal the machine’s IP address and operating system details.
• The harvested data is base64 encoded and then sent to the command-and-control server.
• Syskit is also known to download and execute other commands and tools.
• Tortoiseshell also uses public tools such as Infostealer/Sha.exe/Sha432.exe, Infostealer/stereoversioncontrol.exe, and get-logon-history.ps1.

Tortoiseshell’s method of delivery of the Syskit malware is not clear yet, but there are indications that it could be distributed via compromised web servers.

Protection and mitigation measures

Symantec has provided a set of recommendations to protect against the Syskit malware and has also published the Indicators of Compromise (IOCs) in the blog.