Tortoiseshell cybercrime attacks Saudi IT companies

Over the past 14 months, the Tortoiseshell cybercriminal group has attacked at least 11 IT companies, most of which are located in Saudi Arabia.

In some cases, attackers managed to gain administrator privileges, as well as infect several hundred computers.

“Another notable element of this attack is that, on two of the compromised networks, several hundred computers were infected with malware. This is an unusually large number of computers to be compromised in a targeted attack. It is possible that the attackers were forced to infect many machines before finding those that were of most interest to them”, — report Symantec specialists.

The group adopted a malware called Backdoor.Syskit, developed in versions in Delphi and .NET. With this backdoor, criminals can download and execute additional tools and commands.

Read also: WhatsApp does not delete files sent to iPhone users

To install Backdoor.Syskit is launched using the “-install” option. The malicious program collects and sends IP addresses, name and version information of the OS used, as well as Mac addresses to the C & C server, using the URL in the Sendvmd registry key. Data sent to the C&C server is encrypted in Base64.

On at least two victim networks, Tortoiseshell deployed its information gathering tools to the Netlogon folder on a domain controller. This results in the information gathering tools being executed automatically when a client computer logs into the domain. This activity indicates the attackers had achieved domain admin level access on these networks, meaning they had access to all machines on the network”, — report Symantec researchers.

According to the researchers, these operations can be part of attacks on the supply chain, and the ultimate goal is to gain access to the networks of some clients of IT providers.