Cybercriminal group Tortoiseshell has expanded its cyber espionage operations.
Cybercriminal group Tortoiseshell, affiliated with Iran, has expanded its list of victims, adding representatives of new industries from different countries.
According to Facebook experts, Tortoiseshell has recently been attacking the military, as well as defense and aerospace organizations, mainly in the United States. In addition, hackers (albeit to a lesser extent) target victims in the UK and Europe, indicating an escalation of their cyber espionage operations.
The Tortoiseshell group, active since 2018, previously attacked IT organizations in the Middle East, mainly in Saudi Arabia, using the Syskit backdoor, which collects various information from a compromised computer and sends it to a C&C server controlled by cybercriminals.
In 2019, Cisco Talos uncovered a Tortoiseshell malware campaign against US military veterans using Syskit. The hackers deployed fake websites that supposedly help veterans find work, but in fact infected their devices with spyware and other malware.
Now, Facebook experts have reported on measures taken against similar attacks against an Iranian cybercriminal group that tricked victims into downloading malware using Facebook. The campaign targeted users in the US and partly in the UK and Europe.
The activity Facebook observed was part of a broader cross-platform cyber espionage operation in which the social network was used only as part of social engineering and not for direct delivery of malware. The victims were then lured outside the platform for infection.
As part of a malicious operation, Tortoiseshell hackers registered fake profiles on various platforms, through which they contacted the right people and tricked them into clicking on malicious links. The attackers used different platforms and, in some cases, “processed” the victim for several months.
Hackers posed as recruiters and employees of defense and aerospace companies, journalists, representatives of non-profit organizations, as well as hospitality, healthcare and airlines.
The group uses custom malware, including remote access Trojans, intelligence gathering tools, keyloggers, and modified versions of Syskit. The developer of one of the tools is believed to be the Tehran IT company Mahak Rayan Afraz (MRA), associated with the Islamic Revolutionary Guard Corps.
Catch up on more stories here
Follow us on Facebook here