Tortoiseshell cybercrime attacks Saudi IT companies

Over the past 14 months, the Tortoiseshell cybercriminal group has attacked at least 11 IT companies, most of which are located in Saudi Arabia.

According to researchers at Symantec, the attackers’ goal is supposedly to compromise companies’ customers.

In some cases, attackers managed to gain administrator privileges, as well as infect several hundred computers.

“Another notable element of this attack is that, on two of the compromised networks, several hundred computers were infected with malware. This is an unusually large number of computers to be compromised in a targeted attack. It is possible that the attackers were forced to infect many machines before finding those that were of most interest to them”, — report Symantec specialists.

The group adopted a malware called Backdoor.Syskit, developed in versions in Delphi and .NET. With this backdoor, criminals can download and execute additional tools and commands.

Read also: WhatsApp does not delete files sent to iPhone users

To install Backdoor.Syskit is launched using the “-install” option. The malicious program collects and sends IP addresses, name and version information of the OS used, as well as Mac addresses to the C & C server, using the URL in the Sendvmd registry key. Data sent to the C&C server is encrypted in Base64.

On at least two victim networks, Tortoiseshell deployed its information gathering tools to the Netlogon folder on a domain controller. This results in the information gathering tools being executed automatically when a client computer logs into the domain. This activity indicates the attackers had achieved domain admin level access on these networks, meaning they had access to all machines on the network”, — report Symantec researchers.

According to the researchers, these operations can be part of attacks on the supply chain, and the ultimate goal is to gain access to the networks of some clients of IT providers.

IT providers are an ideal target for attackers because they have a high level of access to the computers of their clients. This access can enable them to send malicious software updates to target machines and even provide remote access to client machines. This provides access to victims’ networks without having to compromise the networks themselves, which may not be possible with a reliable security infrastructure, and also reduces the risk of attack detection.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button