Iranian Group Tortoiseshell Launches New Wave of IMAPLoader Malware Attacks

Iranian Group Tortoiseshell Launches New Wave of IMAPLoader Malware Attacks

October 26, 2023 at 04:48AM

The Iranian threat actor Tortoiseshell is responsible for a new series of watering hole attacks. They use a malware called IMAPLoader, which acts as a downloader for additional payloads. The attacks target various sectors, including maritime, shipping, logistics, and nuclear industries. Tortoiseshell has a history of strategic website compromises and is associated with the Islamic Revolutionary Guard Corps. They also create phishing sites for credential harvesting.

During the meeting, it was discussed that the Iranian threat actor known as Tortoiseshell is responsible for a series of watering hole attacks. These attacks involve the deployment of a malware called IMAPLoader. IMAPLoader is a .NET malware that uses email as a command-and-control channel and is capable of executing payloads extracted from email attachments. Tortoiseshell has been active since at least 2018 and has a history of using strategic website compromises to distribute malware. In recent attacks between 2022 and 2023, the group embedded malicious JavaScript in legitimate websites to collect information about visitors. The maritime, shipping, and logistics sectors in the Mediterranean were the primary focus of these attacks, with IMAPLoader being used as a follow-on payload for high-value targets. The malware queries specific email accounts to retrieve executables from message attachments. Additionally, Tortoiseshell has created phishing sites targeting the travel and hospitality sectors to harvest credentials using fake Microsoft sign-in pages. PwC warns that this threat actor remains active and persistent across multiple industries and countries, including the Mediterranean maritime sector, nuclear, aerospace, and defense industries in the US and Europe, and IT managed service providers in the Middle East.

Full Article