Executive Summary
Tortoiseshell is an Iranian Threat actor group, also known as Imperial Kitten, Yellow Liderc, Crimson Sandstorm, and TA456. It is aligned with the Iranian Revolutionary Guard Corps (IRGC). A new wave of watering-hole attacks that deploy a malware known as iMAPLoader have been attributed to Tortoiseshell. A watering hole attack is a cyberattack in which the attacker compromises a website or online resource frequently visited by the target victim. Besides the current iMAPLoader technique, the group is also associated with other campaigns including those known as LEMPO and SysKit. The Microsoft .NET software framework seems to be the common element in the attack campaigns used by this threat actor.
The threat actor poses a threat to many industries and countries, including the maritime, shipping and logistics sectors within the Mediterranean; nuclear, aerospace and defense industries in the US and Europe; and IT managed service providers in the Middle East.
Tortoiseshell has been active since 2018 with new campaigns appearing in 2022 and 2023. This group has been observed using a wide variety of different tactics and techniques to infect victims. However, attacks are trending toward increased use of the iMAPLoader technique.
Malware Analysis: iMAPLoader
Attack Vector
An initial attack vector seen used by this Threat actor group is conducting phishing emails that can inject a Microsoft Excel decoy document as the multi-stage process. They have also been seen attempting credential harvesting attacks using fake Microsoft sign-in pages.
Attack Details
The first stage of the attack involves reconnaissance. Their attacks start by embedding malicious JavaScript in a compromised and legitimate website to gather intelligence about the visitors including their location, device information, and time of visits.
Stage 2 involves a follow up payload known as the IMAPLoader. As they deem victims a high-value target. IMAPLoader is a .NET malware that has the ability to fingerprint victim systems using native Windows utilities and download further payloads. They use Excel-DNA XLL plugin that enables .NET integration into Microsoft Excel Files.
Stage 3 involves a DLL side-loading technique with a file labeled as JobTitle.dll executable. It writes C# source code file. This is then compiled into a .NET DLL file called sign.dll.
The last stage involves establishing C2 communication channels. Fingerprinting is established at every new payload execution. They create new processes and execute the cmd.exe process.


Tactics, Techniques, and Procedures (TTPs)
TTPs are Tactics, Techniques, and Procedures. They describe the methods, strategies, and specific actions that cyber threat actors such as hackers, and malware authors use to achieve objectives such as unauthorized access, data theft, or disruption.
Resource Development
- T1585.002 - Establish Accounts: Email Accounts
- T1587.001 - Develop Capabilities: Malware
Compromise Infrastructure
T1584 - Compromise Infrastructure
Reconnaissance
T1592 - Gather Victim Host Information
Initial Access
T1189 - Drive-by Compromise
Execution
- T1059.007 - Command and Scripting Interpreter: JavaScript
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
- T1204.002 - User Execution: Malicious File
Persistence
- T1053.005 - Scheduled Task/Job: Scheduled Task
- T1547.001 - Boot or Logon AutoStart Execution: Registry Run Keys / Startup Folder
Defense Evasion
- T1036.004 - Masquerading: Masquerade Task or Service
- T1055.001 - Process Injection: Dynamic-link Library Injection
Discovery
- T1082 - System Information Discovery
- T1016 - System Network Configuration Discovery
- T1033 - System Owner/User Discovery
- T1083 - File and Directory Discovery
Command and Control
T1071.003 - Application Layer Protocol: Mail Protocols
Exfiltration
T1041 - Exfiltration Over C2 Channel
Malware Analysis: LEMPO
Attack Vector
The initial attack vector used in this campaign is Phishing Emails containing a OneDrive URL and an Excel sheet embedded with malicious Macros. Most of these behaviors are blocked by Proofpoint.
Attack Details
Stage one starts by sending the victim an email that contains a .xlsm file that contains an ingenious plaintext stealer comprised of Visual Basic Script (VBS).
The Excel macro adds a registry key: (HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Schedule /t REG_SZ /d C:\Users\[redacted_username]\AppData\Perflog\Schedule.vbs /f) to ensure the malware is ran upon user login.
Stage three involves a command and control server to access a Remote Trojan that does reconnaissance on the victim being referred to as LEMPO. They record the collected data and then exfiltrate the intelligence to an actor-controlled email account using Microsoft’s Collaboration Data Objects (CDO). CDO, previously known as OLE Messaging or Active Messaging, is an application programming interface included with Microsoft Windows and Microsoft Exchange Server products.
LEMPO checks connectivity by reaching out to Yandex, Google, Yahoo, Github, Mailchimp, Mega, Arxiv, and Twitter using ping and curl.
After finishing that additional recon, LEMPO moves Logs.txt from %temp% to \Perflog. LEMPO then checks to ensure the Registry Key previously mentioned has been added and then uses the findstr command to identify files containing “user,” “pass,” and “vpn.” The findstr command returns any matching lines which could collect usernames and passwords from the computer. Logs.txt is then compressed into Logs.zip
The last stage is exfiltration. LEMPO uses hardcoded credentials with Microsoft’s CDO to exfiltrate the information over SMTPS on port 465.
Tactics, Techniques, and Procedures (TTPs)
Initial Access
T1566 - Social Engineering
Execution
- T1204.002 - Malicious Attachment
- T1204.002 - Macro ExecutionPersistence
- T1547.001 - Registry Run Keys/Startup Folder
Command and Control
T1041 - Exfiltration Over Command-and-Control Channel
Collection
- T1113 - Screen Capture
- T1056 - Input Capture
Exfiltration
- T1041 - Exfiltration Over Command-and-Control Channel
- T1048 - Exfiltration Over Alternative Protocol
Defense Evasion
- T1140 - Deobfuscate/Decode Files or Information
- T1036 – Masquerading
- T1027 - Obfuscated Files or Information
Discovery
- T1012 - Query Registry
- T1082 - System Information Discovery
- T1016 - System Network Configuration Discovery
- T1087 - Account Discovery
- T1083 - File and Directory Discovery
Impact
T1485 - Data Destruction
Malware Analysis: SysKit
Attack Vector
This malware is a custom backdoor that can download and execute additional tools and commands. TortoiseShell has developed it in both Delphi and .NET. The threat actor was also observed using PowerShell backdoors.
Attack Details
Backdoor.Syskit is run with the “-install” parameter to install itself. the primary functionality is the following: It reads config file: %Windir%\temp\rconfig.xml, then it writes Base64 encoding of AES encrypted (with key "fromhere") version of the data in the "url" element of the XML.
This all goes to HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\Enablevmd.
The malware connects to a Command-and-Control server and data is sent to the server in Base64 encoding. The backdoor can also receive various commands to kill the process or a variety of other file commands such as deleting the config file.
Tactics, Techniques, and Procedures (TTPs)
Initial Access
T1190 - Compromised Web Server
Execution
- T1204.002 - Custom Malware Execution
- T1202 - Living off the Land (LotL)
Persistence
T1547.001 - Registry Modification for Persistence
Collection
- T1005 - Information Gathering
- T1002 - Data Compression
Command and Control
- T1043 - Communication Through C&C Server
- T1102.001 - C&C URL Construction
Defense Evasion
- T1070.004 - Deletion of Configuration Files
- T1489 - Service Termination
Lateral Movement
T1021.001 - Deployment to Netlogon Folder