Tortoiseshell Initiates Fresh Wave of IMAPLoader Malware Attacks

The Iranian threat group identified as Tortoiseshell has been linked to a recent surge in watering hole attacks, with the intention of deploying a new malware strain named IMAPLoader.

IMAPLoader is a .NET-based malware capable of profiling victim systems using native Windows tools. It serves as a downloader for subsequent payloads, and according to PwC Threat Intelligence, it leverages email as a command-and-control channel, executing payloads extracted from email attachments through new service deployments.

Tortoiseshell, active since at least 2018, has a history of employing strategic website compromises to facilitate the dissemination of malware. In May, ClearSky associated this group with the breach of eight websites connected to Israeli shipping, logistics, and financial services companies.

Tortoiseshell is believed to have affiliations with the Islamic Revolutionary Guard Corps (IRGC) and is recognized by the broader cybersecurity community by various names, including Crimson Sandstorm (previously known as Curium), Imperial Kitten, TA456, and Yellow Liderc.

The recent series of attacks, occurring between 2022 and 2023, involves the insertion of malicious JavaScript into compromised legitimate websites to gather detailed information about visitors, including their location, device specifications, and visit times.

These intrusions predominantly targeted the maritime, shipping, and logistics sectors in the Mediterranean, sometimes leading to the deployment of IMAPLoader as a subsequent payload if the victim is considered high-value.

IMAPLoader is reported to have replaced a Python-based IMAP implant previously utilized by Tortoiseshell in late 2021 and early 2022, showcasing similarities in functionality.

This malware, as a downloader for subsequent payloads, queries hard-coded IMAP email accounts, specifically checking a mailbox folder misspelled as “Recive” to retrieve executables from email message attachments.

In an alternate attack chain, a Microsoft Excel decoy document serves as the initial vector to initiate a multi-stage process for the delivery and execution of IMAPLoader. This indicates that the threat actor employs diverse tactics and techniques to achieve its strategic objectives.

Some of which target the travel and hospitality sectors in Europe, using fake Microsoft sign-in pages for credential harvesting.

The threat actor continues to pose an active and persistent threat to various industries and countries, including the maritime, shipping, and logistics sectors in the Mediterranean, the nuclear, aerospace, and defense industries in the U.S. and Europe, and IT managed service providers in the Middle East.