Tortoiseshell is believed to be active since at least 2018 and has targeted 11 organizations, most of which are in Saudi Arabia.
Possible supply chain attack
A supply chain attack exploits services and software to gain access to their customers’systems.
“IT providers are an ideal target for attackers given their high level of access to their clients’ computers. This access may give them the ability to send malicious software updates to target machines, and may even provide them with remote access to customer machines,” say researchers from Symantec in the blog.
There is not sufficient evidence to associate Tortoiseshell’s activity to any state or existing group.
Operation details
Tortoiseshell uses a unique malware called ‘Backdoor.Syskit’ that is developed in both Delphi and .NET.
Tortoiseshell’s method of delivery of the Syskit malware is not clear yet, but there are indications that it could be distributed via compromised web servers.
Protection and mitigation measures
Symantec has provided a set of recommendations to protect against the Syskit malware and has also published the Indicators of Compromise (IOCs) in the blog.
Publisher