A security firm has discovered a watering hole attack that targeted at least eight Israeli websites.  The attack is believed to be carried out by a nation-state actor from Iran, supposedly having a link with the Tortoiseshell group.

Tortoiseshell targeting Israeli websites

According to ClearSky, the eight websites targeted belong to different industries including logistics, shipping, and financial services in Israel.
  • Attackers use strategic website compromises by infecting a website commonly visited by a group of users or those within a specific industry to spread the malware.
  • The intrusions include malicious JavaScript being injected into the website's functions for collecting information regarding the targeted system and sending it back to a remote server.

Operational insights

  • The experts claim that the criminals use the JavaScript code to find out the user's language preference and most probably customize their attack on the basis of it.
  • The attacks were observed using a domain named jquery-stack[.]online for C2 communication. The aim is to stay hidden by impersonating the genuine jQuery JavaScript framework.
  • Additionally, the attackers use code partly taken from the Metasploit framework along with a few unique strings.

Quick note on the actor

Tortoiseshell was first spotted in July 2018, when it targeted IT providers in Saudi Arabia. In previous campaigns, it has set up fake hiring websites for U.S. military veterans to fool them into downloading remote access trojans.

Conclusion

Israel is already a most prominent target for the state-sponsored group from Iran for the regime's objectives. The latest attack from the Tortoiseshell threat group is a prime example of this. Therefore, organizations should leverage provided IoCs to prevent such attack attempts. Additionally, raise awareness for watering hole attacks and always keep the systems updated.
Cyware Publisher

Publisher

Cyware