IMAPLoader Malware

The cyber threat group Tortoiseshell, connected to Iran, has been linked to a recent surge in watering hole attacks. These attacks aim to unleash a malware strain known as IMAPLoader.

IMAPLoader, classified as a .NET malware, possesses the capability to profile target systems through native Windows tools. Its primary function is to serve as a downloader for additional malicious payloads. The malware employs email as a Command-and-Control (C2, C&C) channel, enabling it to execute payloads retrieved from email attachments. Furthermore, it initiates execution through the deployment of new services.

Tortoiseshell is a Threat Actor Associated with Numerous Attack Campaigns

Operating since at least 2018, Tortoiseshell has a track record of employing strategic compromises of websites to facilitate malware distribution. In early 2023, researchers identified the group as responsible for breaching eight websites linked to shipping, logistics, and financial services companies in Israel.

This threat actor is associated with the Islamic Revolutionary Guard Corps (IRGC). He is recognized by the broader cybersecurity community by various names, including Crimson Sandstorm (previously Curium), Imperial Kitten, TA456 and Yellow Liderc.

In the recent wave of attacks spanning from 2022 to 2023, the group utilized the tactic of embedding threatening JavaScript into compromised legitimate websites. This approach aimed to gather detailed information about visitors, encompassing their location, device details and the timing of their visits.

The specific targets of these intrusions were the maritime, shipping, and logistics sectors in the Mediterranean region. In certain instances, these attacks led to the deployment of IMAPLoader as a subsequent payload, especially when the victim was deemed a high-value target.

The IMAPLoader Malware is an Essential Component in a Multi-Stage Attack Chain

IMAPLoader is said to be a replacement for a Python-based IMAP implant Tortoiseshell previously used in late 2021 and early 2022, owing to the similarities in the functionality. The malware acts as a downloader for next-stage payloads by querying hard-coded IMAP email accounts, specifically checking a mailbox folder misspelled as 'Recive' to retrieve the executables from the message attachments.

In an alternate attack chain, a Microsoft Excel decoy document is used as an initial vector to kick-start a multi-stage process to deliver and execute IMAPLoader, indicating that the threat actor is using numerous tactics and techniques to realize its strategic goals.

Researchers also have discovered phishing sites created by Tortoiseshell, some of which are aimed at the travel and hospitality sectors within Europe, to conduct credential harvesting using fake Microsoft sign-in pages.

This threat actor remains an active and persistent threat to many industries and countries, including the maritime, shipping, and logistics sectors within the Mediterranean; nuclear, aerospace, and defense industries in the U.S. and Europe and IT-managed service providers in the Middle East.are updates often include crucial fixes for vulnerabilities that could be exploited by cybercriminals. Validating automatic updates is a convenient way to ensure that your device is fortified against emerging threats.