The Iranian threat actor known as TortoiseShell has been blamed for a new wave of watering hole attacks designed to deploy malware called IMAPLoader.
“IMAPLoader is a .NET malware that has the ability to fingerprint a victim system using native Windows utilities and act as a downloader for further payloads,” PwC Threat Intelligence said in a Wednesday analysis.
“It uses email as a [command-and-control] channel and is able to execute payloads extracted from email attachments and through new service deployments.”
Active since at least 2018, TortoiseShell has a history of using strategic website compromises to facilitate the distribution of malware. Earlier this May, ClearSky linked the group to the breach of eight websites linked to shipping, logistics and financial services companies in Israel.
The threat actor is affiliated with the Islamic Revolutionary Guard Corps (IRGC) and is also tracked by the broader cybersecurity community under the names Crimson Sandstorm (formerly Curium), Imperial Kitten, TA456, and Yellow Liderc.
These intrusions primarily focused on the maritime, shipping and logistics sectors in the Mediterranean Sea, in some cases deploying IMAPLoader as a follow-on payload should the victim be considered a high-value target.
Due to similarities in functionality, IMAPLoader is said to be a replacement for Tortoiseshell, the Python-based IMAP implementer previously used in late 2021 and early 2022.
The malware acts as a downloader for the next stage’s payload by querying hard-coded IMAP email accounts, especially mailbox folders misspelled as “Receive”, to recover executable objects from message attachments.
In an alternative attack chain, a Microsoft Excel decoy document is used as the initial vector to kick-start a multi-stage process to distribute and execute IMAPLoader, indicating that the threat actor is using their Using a variety of tactics and techniques to achieve strategic goals.
PwC said it also discovered phishing sites created by Tortoiseshell, some of which were aimed at credential harvesting using fake Microsoft sign-in pages in the travel and hospitality sectors within Europe.
“This threat actor remains an active and persistent threat to many industries and countries, including the maritime, shipping and logistics sectors within the Mediterranean; the nuclear, aerospace and defense industries in the US and Europe; and IT managed service providers in the Middle East,” PwC said.