IMAPLoader: The New Tool in Tortoiseshell’s Cyber Arsenal

The Iranian hacker group, dubbed Tortoiseshell, caught the attention of PwC specialists due to their new wave of attacks aimed at deploying malicious software known as IMAPLoader.

IMAPLoader is a .NET-based malware designed to identify victim systems using standard Windows utilities. It operates as a loader for additional modules, employing email as its control channel. Moreover, IMAPLoader can execute malicious modules extracted from email attachments.

Since 2018, Tortoiseshell has been exploiting website vulnerabilities to propagate its malware. This year in May, the group was implicated in the breach of eight websites affiliated with maritime operations, logistics, and financial services in Israel.

This faction, also known under monikers like Crimson Sandstorm, Imperial Kitten, TA456, and Yellow Liderc, is believed to be aligned with the Islamic Revolutionary Guard Corps (IRGC).

The latest spate of Tortoiseshell’s attacks, spanning from 2022 to 2023, includes embedding malicious JavaScript codes into compromised legitimate websites to gather more details about visitors, capturing their location, device information, and visitation timestamps. The hackers primarily targeted the maritime and logistics sectors in the Mediterranean region.

IMAPLoader is purportedly the successor to a Python-based IMAP implant that Tortoiseshell previously employed. IMAPLoader acts as a next-stage malware loader, tapping into hard-coded IMAP email accounts to extract executable files from email attachments.

One attack scheme incorporates a Microsoft Excel document as the initial vector, triggering a multi-stage IMAPLoader delivery and execution process. This suggests that the hackers employ diverse tactics and methods to achieve their strategic objectives.

PwC experts also identified phishing websites crafted by Tortoiseshell, some targeting the travel and hospitality sectors in Europe. PwC emphasized the continuing threat this hacker group poses to various industries and regions, including the Mediterranean, the U.S., and Europe.