Tortoiseshell: A group that has been being tracked since mid 2018 is using custom and publicly-available malware to target IT providers in suspected supply chain attacks. The main targets have been in Saudi Arabia, and it is believed that the group is trying to use their victims in order to gain access to their clients. By using custom malware that is written in Delphi and .NET, the group managed to evade certain detection advancements that their targets had in place. The group reportedly gained access to the network by a compromised web server, which is easier than doing recon on an individual and trying to trick them with a phishing email. In one instance, the group had infected over 200 machines on a network before their campaign was done, which is a large amount to infect. It is likely that the group had to infect such a mass number of machines to find the one that had the domain admin-level privileges that they were looking for. The custom malware that is used by Tortoiseshell is called Backdoor.Syskit. This basic backdoor allows the group to download and execute other files and malware onto an infected machine, making it a crucial part of their attack. The backdoor will send the C&C server the computer’s IP address, operating system and mac address–this way the attacker knows which files to distribute to the particular infected device.
With all the news around COVID-19/Coronavirus, the average person is turning to the internet for